{"id":16158,"date":"2014-03-18T09:10:57","date_gmt":"2014-03-18T15:10:57","guid":{"rendered":"https://www.webroot.com/blog/?p=16158"},"modified":"2018-10-05T13:18:15","modified_gmt":"2018-10-05T19:18:15","slug":"5m-harvested-russian-mobile-numbers-service-exposes-fraudulent-infrastructure","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/03\/18\/5m-harvested-russian-mobile-numbers-service-exposes-fraudulent-infrastructure\/","title":{"rendered":"5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure"},"content":{"rendered":"

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself)<\/strong><\/a> mobile number harvesting tools<\/strong><\/a>, successfully setting up the foundations for commercial managed<\/strong><\/a>\/on demand mobile phone number harvesting services<\/strong><\/a>, ultimately leading to an influx of mobile \u00a0malware\/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available<\/strong><\/a> Android-based botnet generating tools<\/strong><\/a>, further fueling growth into the market segment<\/strong><\/a>.<\/p>\n

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services\/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and\u00a0QA<\/strong><\/a> (Quality Assurance<\/strong><\/a>).<\/p>\n

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status\/gender\/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313<\/strong><\/a>), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave\/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware\/bot ID.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the 5M+ harvested mobile phone numbers service:<\/strong><\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers\"<\/a><\/p>\n

The service’s main URL responds to 91.228.155.210.<\/p>\n

Parked on the same IP (91.228.155.210) are also the following fraudulent\/cybercrime-friendly domains:<\/strong>
\nhxxp:\/\/instagramm-registration.ru<\/p>\n

Related rogue game MD5s known to have been (historically) hosted at the same IP (91.228.155.210):<\/strong>
\nMD5: 68c1c11d86bc272e9a975400e2991e41
\nMD5: 3ccf8cfc88d7228e8e4345d389ce56ef
\nMD5: 6bf0482a0bd8fcf19a88e7a03abd69ef
\nMD5: 232c501fec973e8923143e41b520f698
\nMD5: 5601f871f3f1873c1da971358799f088
\nMD5: 94abca6d4ec24fdbe1ec74f40b4a77cd
\nMD5: 126bc6cb8e58c7859768d9390c726774
\nMD5: 966e3bbd0f77463403bb200454544cd4<\/p>\n

The following malicious MD5s are also known to have phoned back to the same IP (91.228.155.210):<\/strong>
\nMD5: 6e6a09ec8235705f314ed2fae8fab01a
\nMD5: 676dc0a061886bf537e01ddceb6c9230<\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers__\"<\/a><\/p>\n

The existence of the secondary services (segmented mobile phone numbers belonging to Sochi citizens\/paid medical leave services), parked on the same IP as the original 5M+ harvested mobile phone numbers offering service, is a decent example of market segmentation in the context of an event-based type of underground market offering targeting the Sochi Olympics. Not surprisingly, cybercriminals have already taken advantage of this segment, and in a true fraudulent\/malicious nature, have launched social engineering driven\u00a0Android-based malware serving SMS spam campaigns<\/a>\u00a0<\/strong>(MD5:\u00a0361e92c344294d8b4fce0c302f61716a).<\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers__01\"<\/a><\/p>\n

Sample screenshot of the fraudulent Instagram site parked on the same IP\u00a0(91.228.155.210):<\/strong><\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers_01\"<\/a><\/p>\n

Redirection chain for the rogue Instagram app site:<\/strong>
\nhxxp:\/\/instagramm-registration.ru\/<\/em> -> hxxp:\/\/domainusers.biz\/?page=lending&type=soft&size=1&ext=rar&link=http:\/\/tds-link-asg.biz\/?tds=1275&page=search&parent=similar&key=Instagram_registration_(soft).zip&key=programma_instagram_register_PC<\/em> ->
\nhxxps:\/\/www.tcsbank.ru\/credit\/form\/cash\/?utm_source=troywell_apr_cc&utm_medium=aft.apr&utm_content=network&utm_campaign=creditcard&wm=1otx&sid=701411425&prx=701411425<\/em><\/p>\n

Redirectors domain name reconnaissance:<\/strong>
\ndomainusers.biz – 91.202.63.117
\ntds-link-asg.biz – 91.202.63.119<\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers_02\"<\/a><\/p>\n

Name server reconnaissance for the redirectors:<\/strong>
\nNS11.LIMONBUCKS.COM – 91.217.85.34 – Email: sevacash@gmail.com – SEVAHOST-AS Seva-Host Ltd (AS49313)<\/a><\/strong>
\nNS12.LIMONBUCKS.COM – 91.217.85.37 – Email: sevacash@gmail.com<\/p>\n

Name servers resonnaissance of the rogue\/fraudulent mobile apps serving rogue affiliate network operating the redirectors:<\/strong>
\nns1.sevadns.com – 91.217.85.35 – hxxp:\/\/sevadns.com -> hxxp:\/\/seva-hosting.com (91.217.85.35)
\nns1.sevadns.com – 91.217.85.36<\/p>\n

A peek inside sample statistics from the rogue mobile apps serving affiliate network:<\/strong><\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers_04\"<\/a><\/p>\n

Known to have phoned back to (91.202.63.119;\u00a0tds-link-asg.biz<\/strong>) is also the following malicious MD5: bf0074d6e2745925ec8ef3225a2052e1<\/a>.\u00a0<\/strong>Known C&C – hxxp:\/\/91.202.63.119\/showthread.php?j6m=452416&nmhn=401c4ab9717ac07af8449176f3b07cfb&o=8,f4aacf34b635ccbe03dcc87bc52e7c49<\/em>. Responding to the same IP, is also the Web site of the mobile traffic\/rogue apps serving affiliate network<\/strong><\/a>.<\/p>\n

Known C&C domain responding to the same IP:<\/strong> majdong.ru (91.202.63.119)<\/p>\n

Related DNS requests performed by the sample (MD5: bf0074d6e2745925ec8ef3225a2052e1<\/a>)<\/strong>:<\/strong>
\nedreke.ru
\nedreke.ru.ovh.net<\/p>\n

Name servers reconnaissance:<\/strong>
\nName server: ns1.zippro.ru – 37.221.164.2
\nName server: ns2.zippro.ru – 37.221.164.3<\/p>\n

\"Mobile_Malware_SMS_Spam_Fraud_Cybercrime_Harvested_Mobile_Phone_Numbers_03\"<\/a><\/p>\n

Known to have phoned back to the same C&C server majdong.ru (91.202.63.119) are also the following malicious MD5s:<\/strong>
\nMD5: 9a05f7572ff50115fb22a4b3841ab137
\nMD5: 00adadb8e8a1d73c444134f2d1c1fba0
\nMD5: 651397e89d4b5687d1c8ce4834dc4234
\nMD5: bf0074d6e2745925ec8ef3225a2052e1<\/p>\n

Known to have been downloaded from the same IP (ns1.zippro.ru – 37.221.164.2) are also the following malicious MD5s:<\/strong>
\nMD5: b58b0539818762becd4f5051a3c81b46
\nMD5: a385f6362f5ceb69db4c03ed324dfc34<\/p>\n

Known to have phoned back to (ns1.zippro.ru – 37.221.164.2) are also the following malicious MD5s:<\/strong>
\nMD5: c6e5c1508ace1dfed450f8f69b11f1e6
\nMD5: f5399127b908f5a3ad994ca0e681cb26
\nMD5: aad3f6de5ae8c595797c55716a83adde<\/p>\n

Known to have been downloaded from the same IP (ns2.zippro.ru – 37.221.164.3) are also the following malicious MD5s:<\/strong>
\nMD5: 522c729109ba4a51b5f361d33b5b3edb
\nMD5: 243934ec2546c54c1cb6d9309896a035
\nMD5: 578d5a1f5b968d01e553f7c94e12b235
\nMD5: b7baa6ccf6d9242b7e5d599830fa12b1<\/p>\n

Known to have phoned back to (ns2.zippro.ru – 37.221.164.3) are also the following malicious MD5s:<\/strong>
\nMD5: ac3477ad87db7cfe4373cb2135eb1387
\nMD5: be49f224212ac9e05ae6b67b299350f2
\nMD5: a6f82de33bf03e8cb197cbc426942dca
\nMD5: 3204e633b6892171830004aedc5b6907
\nMD5: e31e8f4805768c326e28c68a6f406acc
\nMD5: d9920001704950e4f4c18d6e2ec30aae
\nMD5: 132cec7617f656db385d7acf31cd3393
\nMD5: be49f224212ac9e05ae6b67b299350f2
\nMD5: a6f82de33bf03e8cb197cbc426942dca
\nMD5: 93dfb678ecd06d27e59f96f2f30a52d5<\/p>\n

Based on our analysis, we were able to successfully identify an identical pseudo-random hardware ID\/bot ID, that we were also able to connect to related W32.SMSSend campaigns, further confirming that\u00a0cybercriminals continue to actively multi-task in 2014<\/strong><\/a>.<\/p>\n

Related W32.SMSSend hardware ID\/bot ID campaigns using the same pseudo-random ID:<\/strong> 401c4ab9717ac07af8449176f3b07cfb<\/p>\n

Sample fraudulent W32.SMSSend MD5s relying on the same pseudo-random ID known to have phoned back to 64.120.227.154\/185.15.209.17:<\/strong>
\nMD5: ac3477ad87db7cfe4373cb2135eb1387
\nMD5: be49f224212ac9e05ae6b67b299350f2
\nMD5: a6f82de33bf03e8cb197cbc426942dca
\nMD5: 93dfb678ecd06d27e59f96f2f30a52d5
\nMD5: 3204e633b6892171830004aedc5b6907
\nMD5: e31e8f4805768c326e28c68a6f406acc
\nMD5: d6e06c98db7a0d38440d300accf8c730
\nMD5: d74528f426054fdcaca65a7e25b0d8dd
\nMD5: d1aa5e38fabe1811dfa113c6185c665e
\nMD5: 97141a85483998dff7e4aa04ce39b4f3
\nMD5: c6f2f67ddb2da9cebd9a669d964df6a7
\nMD5: 405b25f0834ad6c50ddfa203ac3112b4<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed\/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile \u00a0malware\/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17367,17351,17347,23171,17353,16239,23175,17357,17345,15475,23173,4539,15147,17355,15149,12441,4029,17359,23169,17349],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16158"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16158"}],"version-history":[{"count":31,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16158\/revisions"}],"predecessor-version":[{"id":25799,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16158\/revisions\/25799"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16158"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16158"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}