If you are committed to sharing some your free time in learning how to fight and report spam and/or other forms of cybercrime, check out the  Inboxrevenge forum. The forum was started in 2006, so it is nearly 6 years old already. Please note, you must be pre-approved by the Inboxrevenge moderators after attempting to sign up. There are few participants from the Castlecops website who participate on InBoxRevenge along with some other anti-spammers in the online community.  The forum welcomes everyone who wants to help make a difference with combating and learning about reporting forms of cybercrime. Sharing ideas on how to get cybercrime activities shutdown is a big priority for the many participants of InBoxRevenge. @InBoxRevenge can also be followed on Twitter.


Announced in October 2011: we are asking you to check out a new anti-botnet effort. DeepEnd Research.org.

There is a lot of new information there about organized malicious activity called Dirt Jumper DDoS bot.  I look forward to participating in the efforts.

Unfortunately, I have not been able to update this blog in over a year already, nonetheless, I hope to make a few updates as time permits. It took me a long time to approve a few old comments here for some old entries.  I will respond to a few of the responses when I get a chance. I want to thank you for reading this blog and taking the time to respond to my research. I look forward to posting more information soon about various forms of cybercrime soon.


The APWG (Anti-Phishing Work Group) recently held its Counter Crime Operations Summit (CeCOS) in São Paulo, Brazil on May 11-13th, 2010. Over the years, the APWG has held its conferences in different countries reflecting the internationalism of this type of fighting cybercrime (phishing spam). The next conference of the APWG is the eCrime Researchers Summit in Dallas, Texas in October 2010.

The admirable reporting by the CERT.br (Brazilian CERT team) and other Brazilian Incident Response teams deserves a mention because they appear to be among the most proactive of Incident Response teams worldwide  in reporting phishing, malware and other types of internet abuse incidents to various ISPs world-wide.  Brazilian-related cybercrime gets more attention because of such strong efforts than cybercrime related to other countries such as China or Russia (countries mentioned with a large online presence) because of this important task at hand.

Global Phishing Survey

In May 2010, APWG researchers Greg Aaron and Rod Rasmussen published this report  Global Phishing Survey: Domain Name Use and Trends in 2H2009 about Avalanche phishing group making up two thirds of all phishing attacks based on data collected in the second half of 2009.

Subdomain Abuse on Free Webhosters

The Global Phishing Survey gives a very detailed view of phishing site attacks based on TLD (top level domains) and compromised phishing sites that were reported. The detailed report also noted free hosting subdomain services that were abused by phishers as it compiled a top 20 offender list on page 20 of the APWG report.  These free subdomain services are not doing enough to minimize fraudulent signups. It would appear that cybercriminals flock to such sites in droves to defraud others, even if the reaction is whack-a-mole.  The typical approach is the scams are reported after their spam run, then the hoster shuts them down.

The number one offender of phishing sites on subdomains was t35.com which is hosted in the US by the webhoster Interserver.net of New Jersey; (t35.com’s A record is on  69.10.32.154 / AS19318).  Other failures to curb phishing sign-ups to note in the top 5: 110mb.com, ns11-wistee.fr, tripod.com and justfree.com

Avalanche Phishing and ZeuS botnet

The 33 page report provides detail as to the reported phishing website trends as of the second half of 2009.  Avalanche is the current name for fast flux DNS of phishing site hosting on large botnets, which involved many fraudulent domain name sign ups with unresponsive registrars worldw ide and spoofs of many brands. This large phishing organization (2006-2008) had been dubbed Rockphish due to the patterns found in folder names. At that time, the rockphish group was quite successful in stealing millions of dollars.

This newer group, now called Avalanche, uses similar techniques to that of the Rockphish. The Avalanche group is also making use of the ZeuS botnet to steal banking information from users who download the malware they received via spam. Current ZeuS botnet statistics found online can be found on the ZeuS Botnet Tracker.

According to the APWG report, compromised phishing attacks are still very plentiful, and tend to stay online longer than the lifespan of the fast flux Avalanche botnet phishing sites.

It is very hard to say if the groups behind this large phishing enterprise will be caught and prosecuted, but at the time of this post, their activity appears to be still going strong based on the reports referenced here by APWG. It is worth noting that continued international cooperation amongst law enforcement, private industry, independent researchers, academics and governments against cybercrime is truly a must to stem the problem of cybercrime in general. Other efforts matter as well, but international cooperation is probably the most important aspect to fighting online crime. International efforts such as APWG are commendable.

Selected Media References:

Ars Technica:  Phishing servers being killed off faster than ever

Network World: Worst phishing menace may be prepping more dangerous version of itself


Romania is a country that many Internet security researchers and various law enforcement agencies equate with cybercrime and have probably had that mind for quite a while now.  Even some casual readers of spam news know about Romania’s bad reputation online. The good news is over the years more and more people directly involved cybercrime rings based in Romania have been caught.

In the latest news, on 6th April, 2010, 70 people were arrested in Romania for phishing and other Internet related fraud. The arrests which were undertaken by the Directorate for the Investigation of Organized Crime in Romania, together with police officers, and followed by over 90 searches issued by prosecutors (Article in Romanian by DIICOT).

Update: 4/12/10 Current time zone: EEST 12:11 AM

The Internet Scammers blog which broke the story earlier last week in English has updated the names of some 34 of these Romanian scammers who engaged in eBay, 419 and other auction fraud  a form of (advance fee fraud – AFF). The source of the story in Romanian is  Romanian Masura Media. which was posted on the 8th of April 2010.

The rough translation into English via Google is here as kindly provided by the writer at the Internet Scammers blog.  According to the translation into the English with the aid of the FBI, DDICOT, and other law enforcement agencies, according to investigators since 2006, the three organized criminal groups have acted in several countries  including: Spain, Italy, France, New Zealand, Denmark, Sweden, Germany, Austria, USA, Canada, and Switzerland. They were organizing fraudulent auctions through the Internet. … There could be up to 250 people involved in three separate criminal groups.

Backstory in Clamping down on Romanian Cybercrime

In more recent years, there has been more success by various law enforcement agencies to arrest Romanian-based cybercriminals. Romanian officials have been working harder with international law enforcement to make these arrests possible. Romanian Prosecutor-General Laura Codruta Kövesi was noted as a McAfee Cybercrime Fighter Award Winner in 2008. These recent successes of arrests are worth definitely noting, so that more cybercriminals are eventually caught in other countries in part to more increased government cooperation with international law enforcement, in other nations nearby such as Russia, Estonia, Ukraine, and some other East European nations.

Romanian Flag

Romania has had a strong presence or digital footprint online for well over a decade now as compared to some other countries of its size. Romania has around 22 million people and ranks as the 51th most populated country in the world according to the CIA Factbook. Romania’s presence online in terms of users and that of Internet IP hosts does outranks many other countries relative to its size and outranks some larger countries as well who are not as wired in general. Romania has an active hacker community and Romanians are well represented on IRC (Instant Relay Chat).

Since breaking away from the shackles of the Soviet Bloc in policy lead by the brutal dictator Nicolae Ceauşescu whose rule ended violently in 1989, Romania has gone through a lot of political transformation from a communist country to that of aligning itself more with Western Europe and the United States for the past 2 decades. Romania joined NATO since 2004 has been in the European Union since 2007. For more about Romania’s geopolitical history as former Soviet Satellite, check out its English-language Wikipedia entry.

While Broadband penetration study for European countries in percentage amongst Romanians is not ranked very high (24%) according to Tech Crunchies, the average Romanian enjoys a very high speed on the Internet  as ranked with those from other countries: Ranked #4 in the Top 10 with 6.2 Mbps. (Download Speeds of Megabits per Second).

Romanians have been involved in cybercrime in larger numbers for at least a decade now which is quite a longtime for the average lifespan of any particular online activity. For several years now, Romania has had a tarnished reputation similar to those cybercriminal reputations of much larger countries such as Nigeria, Brazil, Russia, China and the United States.

70 Romanians Arrested in April 2010

Despite these facts, there have been recent arrests of large numbers of cybercriminals in Romania in the past few years. We  are highlighting the most recent arrest of 70 people arrested in Romania on April 6th, 2010 which was first posted on Internet Scammers blog in English. We will post more details as they come available.

Spamhaus Blocklists large swaths of Romanian ISP EuroWeb.RO:

In early April 2010, Spamhaus blocklisted large IP ranges of this Romanian ISP: Euroweb.ro for hosting botnet and various cybercrime enterprises with the latest name Powerhost.ro. Due to the recent blocklistings, it would be a good guess this provider will get rid of these blackhat accounts. The downstream which is causing these listings is called Powerhost.ro. At the time of this posting, there were 7 active SBLs for Euroweb.ro

The most recent listings are:

07-Apr-2010 to  11-Apr-2010 Listed on SBL
SBL88578 77.81.192.0/19    euroweb.ro
SBL88577   86.55.96.0/23     euroweb.ro
SBL88576   86.55.206.0/23    euroweb.ro
SBL88575   89.114.9.0/24     euroweb.ro
SBL88572  188.213.128.0/20    euroweb.ro
SBL88571  188.213.96.0/20   euroweb.ro
SBL88570   86.55.210.0/23   euroweb.ro

The /19 listing is over 8000 IP addresses. The smallest netblock is /24 which is 256 IP addresses.  A few details to note below from the SBL88578 :

SBL88578
77.81.192.0/19     euroweb.ro
07-Apr-2010 01:21 GMT
Botnet/cybercrime spammer hosting: powerhost.ro

AS6663 EUROWEBRO
AS38913 Enter-Net-Team-AS
AS31571 ALtNet Bucharest, ROMANIA

Notable External Links for Further Reading / Information:

There have been several recent arrests of cybercriminals in Romania over the past few years. Below are some recent highlights:

Informational Blogs to Video Links:

Internet Scammers: 70 Romanians Arrested on 6th of April 2010

CyberCrime & Doing Time: 70 Romanian Phishers & Fraudsters Arrested

Video:

YouTube: Safe Internet – Romanian Child Safety Commercial – (1 min)

Older News Stories – (incomplete)

2008: SC: Romanian cybercrime ring busted

2003: MSNBC: How Romania became a center of cybercrime

Other:

NirSoft: Romanian IP Ranges

ROTLD Registry: .RO rules for TLD usage


Online Advance Fee Fraud  (AFF) scams are plentiful and involve several people: the fraudsters themselves, money mules (people who are often duped into commit crimes, as middle men), but think they are earning extra money and then the individuals and businesses who have been defrauded.  Most of the general public who are active online, may have heard of the Nigerian letter scam (419 scam) called 419 due to its code number in current Nigerian law.

There are many ways a scammer poses as someone else to steal a victim’s money.  Advance Free Fraud scams take place anywhere the Internet is in use, not just to victims in the Western nations.  Usually the intended victim cashes a fraudulent check from an account whose information was stolen. Many of these scenarios start with endusers answering spam that appears in their inboxes. Typically in most cases the money mule (person who unwittingly commits a crime) is left holding the bag by being responsible for the amount on the stolen check they had received.

These scams take place in many countries, from South Africa, to the UK, United States, Japan, Germany, and other nations.  Fraudsters catch their intended victims by other means such as posting ads on Craigslist, answering for sale ads, taking over eBay accounts that were phished, and posting elsewhere online where people want to buy and sell things. Also people (male or female) looking for dates online have been swindled many times in what is called sweetheart scams. The sweetheart scams haven going on for quite sometime; note this 2005 MSN article.  Scammers also hack into people’s email accounts and send spam saying they are stranded overseas and need money after being robbed.  Now with the popularity of social networking sites such as Facebook and Twitter, these fraudsters continue to dupe their victims after hacking into accounts and pretending to be the victim, asking for money.

For those not familiar with the term Advance Fee Fraud, check out this definition according to the Wikipedia:

An advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain.[1] Among the variations on this type of scam, are the Nigerian Letter (also called the 419 fraud, Nigerian scam, Nigerian bank scam, or Nigerian money offer[2]),[3] the Spanish Prisoner, the black money scam as well as Russian/Ukrainian scam (also extremely widespread, though far less popular than the former). The so-called Russian and Nigerian scams stand for wholly dissimilar organised-crime traditions; they therefore tend to use altogether different breeds of approaches.

The Nigerian letter scam is probably the most well known of the advance fee fraud scams. There are organizations with devoted volunteers who actively combat these crimes. AA419 for example, reports fraudulent advance fee fraud domains to webhosts, and registrars for take-downs. Another website which documents and reports online fraud is Bobbear.co.uk.

The Main Difference between Phishers and Advance Fee Fraudsters

There are many  methods to defraud victims online, from fake eBay auctions, to scam job opportunity scams. Another website dedicated to job fraud is PhishBucket.  These types of scams are a bit different from phishing scams where fraudsters use spam to spoof financial institutions such as banks in order to steal the victim’s username and password in order to steal money from the victim’s banking account.  The main difference is phishers are spoofing an actual company that exists while the run of the mill job scammers simply create fraudulent shell companies or purchase fraudulent domain names with dummy company information listed.

Advance Fee Fraud Victims

Many people ware of this problem tend to think that victims are internet newbies.  Many people who have fallen for these online scams have been retired professors, lawyers and other professionals.

The way for people to avoid online scams is to think about this old adage which is somewhat paraphrased: “if something is too good to be true, then it probably is.”


In the online world, on computers and servers hosted within United States is where a lot of cybercrime originates. How often does one read about that? Usually China and Russia are mentioned at the drop of a hat in regards to online malicious activity while there seems to be less focus on such large problems on networks within the United States.

The rankings posted on Spamhaus is one example where one may guage online fraudulent activity. Take a look at the top 10 SBL offenders by country.  The United States is way ahead with over 2000 current SBLs. China is in a distant 2nd place.

Below lists the top 3 as of 2/24/2010.

As at 24 February 2010 the world’s worst Spam Haven countries for production and export of spam are:

1
United States Number of Current Live Spam Issues: 2189

2
China Number of Current Live Spam Issues: 590

3
Russian Federation Number of Current Live Spam Issues: 457

Another gage to use is reported malware websites by ASN, found here on Malicious Networks.  14 out of the 20 ISPs listed are in the United States. This should be of very big concern to all of us. Hosters in the US and elsewhere need to be more proactive in taking down activity deemed as malicious. Webhosting and other organizations with large online content also need to secure their servers better and try to put more measures in minimizing fraudulent signups of accounts.


According to  Spamhaus Top 10 Network offenders on its Spamhaus Block List Advisory, an ISP called AS3352 TELEFONICA-DATA-ESPANA has the most SBLs on Spamhaus list as of January 17th, 2010. Based on Spamhaus‘ research, this ISP is considered the current “World’s Worst Network.”  At time of this post, there are 95 SBLs belonging to Telefonica.es.

Spamhaus: The 10 Worst Spam Support ISPs
As at 17 January 2010 the ISPs with the poorest abuse control of spammers are:

Rank / SBL #  ISP domain / ASN / URL
1. 95 telefonica.es AS3352 / http://www.telefonica.es/
2. 64 ovh.net  AS16276 / http://ovh.net/
3. 59 telefonica.com.ar AS22185 /  http://www.telefonica.com.ar/
4. 46 tiscali.it AS3257 /  http://www.tiscali.it/
5. 44 xo.com AS2828 /  http://www.xo.com/
6. 38 integratelecom.com AS7385 / http://integratelecom.com/
7. 38 charter.com AS20115 / http://www.charter.com/
8. 38 ono.com AS6739 / http://www.ono.es/
9. 35 verizon.com AS19262 / http://www.verizon.com/
10. 34 telecom.com.ar AS7303 / http://www.telecom.com.ar/

Many SBLs of telefonica.es (Telefonica de Espana, AS3352, netname: RIMA ) are /32 (1 IP address) blacklistings with lots of ROKSO Canadian Pharmacy listings. Many of the Telefonica.es SBLs were added from October to December 2009. ROKSO is a list compiled by Spamhaus of the worst spamming organizations. ROKSO stands for Registry of Known Spam Operatives.

While Second ranking OVH’s listings are /32 as well, not so many current SBLs are those of ROKSO spammers. OVH.net offers both dedicated and shared hosting; unfortunately, spammers are attracted to either one. OVH.net was noted as the Worst Offending ISP on this blog back in December 2009. The good news about OVH is that it appears the admins are working on riding its network of spammers. Telefonica.com.ar is in 3rd place with 59 SBLs has larger blocklistings, such as numerous /24 which are 256 IP addresses. The ROKSO spammer’s listings on tiscali.it is  Fabio Petta – Jnternet.

One note about this top 10 list is the number of Spanish-speaking ISPs. For example: telefonica.es and ono.com / ono.es are located in Spain, while Argentina is represented by telefonica.com.ar and telecom.com.ar. Telefónica explains on its website that it is one of the largest telecommunications companies by market (Spain, Europe and Latin America).

The 2 other Euoropean-based ISPs are OVH of France and Tiscali.it in Italy. The 4 US-based providers on the Spamhaus Block List are:  XO, Charter, Integra Telecom and Verizon.  XO.com is a large  Tier-2 NSP (network service provider), while Integra Telecom is a regional ISP in the midwest and western US states, and Charter is a regional ISP.  Verizon (made up of Baby Bell companies) as an ISP is offered in most markets in the US. Verizon is also a leading wireless cell phone provider.

Spamhaus’ SBL ranking is based on Spamhaus own research of spam and so the list has its own limitations.  Among the reasons: ISPs have to contact Spamhaus to get their SBLs removed, so the SBL list is a manual process, and not automated like CBL.

If a researcher wants to know more volumes of ISP spam emiters, one can use other online tools available such as Spamcop’s list by hostname/ IP. Though much smaller in scope than Spamcop, German Powerweb’s DNSBL.de has a top 20 providers list on its main page by spam volume based on the ASN (Autonomous System Number) which is used to identify a network by the Internet Protocol addresses authorities.


Since around August 2009 or so, French provider OVH.net (AS16276) has been the top offender by current SBLs on Spamhaus.

Here is a screenshot of that list on Spamhaus as of December 5th, 2009.

Also, note. The list below as of 12/5/09.
1. ovh.net  AS16276 = 77 SBLs
2. telefonica.es AS3352 = 59 SBLs
3. xo.com AS2828 = 48 SBLs
4. tiscali.it  AS3257 = 43 SBLs
5. mzima.net AS46562 = 38 SBLs
6. internap.com AS11855 = 37 SBLs
7. telefonica.com.ar  AS22927 = 37 SBLs
8. ttnet.net.tr AS9121 = 34 SBLs
9. ono.com as6739  = 33  SBLs
10. interbusiness.it  = 29 SBLs


This is the third attack on the InBoxRevenge antispam forums within one month. The first DDoS attack which was posted below was on October 28, 2009.

Since about 10:45 Eastern Time on Monday, November 16th, 2009, IBR’s forums are once again offline.

We will give you more details as they become available. It seems that spammers are definitely still very angry with the content posted on IBR.

We will continue to spread information online via various twitter accounts, blogs, and other websites about collecting information which leads to shutting down illegal spammer operations. Attacks such as this one and others do not stop our efforts as we continue to report spamming operations.

As a reminder, check out our other websites online for updates:

Twitter: http://twitter.com/inboxrevenge
Other blogs:

http://garwarner.blogspot.com/

http://inboxrevenge.blogspot.com

http://inboxrevenge.spaces.live.com

Wiki:

http://spamtrackers.org

Please note: that SiL also has his two blogs, which also accept moderated comments:
http://ikillspammers.blogspot.com

http://spamitmustfall.blogspot.com


Italian banking site phishing URL spoofing CartaSi is live on compromised host: phone.codmanacademy.org – IP: 69.38.149.93 which is on AS19406 (Towerstream.com).

Munged URL:

hxxp://phone.codmanacademy.org/home/polycom/.redirecting.titolari.cartasi.it.portal.server.pt.acceso.reg.recupero.gateway.nome.utente.o.password.se.hai.dimenticato/

URL was already reported to Netcraft and Phishtank.




InBoxRevenge at Twitter

Follow

Get every new post delivered to your Inbox.