There is a lot of new information there about organized malicious activity called Dirt Jumper DDoS bot.

I look forward to participating in the efforts.

Unfortunately, I have not been able to update this blog in over a year already, nonetheless, I hope to make a few updates before the end of 2011 as time permits. It took me a long time to approve a few old comments here for some old entries.  I will respond to a few of the responses when I get a chance. I want to thank you for reading this blog and taking the time to respond to my research. I look forward to posting more information soon about various forms of cybercrime soon.

The admirable reporting by the CERT.br (Brazilian CERT team) and other Brazilian Incident Response teams deserves a mention because they appear to be among the most proactive of Incident Response teams worldwide  in reporting phishing, malware and other types of internet abuse incidents to various ISPs world-wide.  Brazilian-related cybercrime gets more attention because of such strong efforts than cybercrime related to other countries such as China or Russia (countries mentioned with a large online presence) because of this important task at hand.

Global Phishing Survey

In May 2010, APWG researchers Greg Aaron and Rod Rasmussen published this report  Global Phishing Survey: Domain Name Use and Trends in 2H2009 about Avalanche phishing group making up two thirds of all phishing attacks based on data collected in the second half of 2009.

Subdomain Abuse on Free Webhosters

The Global Phishing Survey gives a very detailed view of phishing site attacks based on TLD (top level domains) and compromised phishing sites that were reported. The detailed report also noted free hosting subdomain services that were abused by phishers as it compiled a top 20 offender list on page 20 of the APWG report.  These free subdomain services are not doing enough to minimize fraudulent signups. It would appear that cybercriminals flock to such sites in droves to defraud others, even if the reaction is whack-a-mole.  The typical approach is the scams are reported after their spam run, then the hoster shuts them down.

The number one offender of phishing sites on subdomains was t35.com which is hosted in the US by the webhoster Interserver.net of New Jersey; (t35.com’s A record is on  69.10.32.154 / AS19318).  Other failures to curb phishing sign-ups to note in the top 5: 110mb.com, ns11-wistee.fr, tripod.com and justfree.com

Avalanche Phishing and ZeuS botnet

The 33 page report provides detail as to the reported phishing website trends as of the second half of 2009.  Avalanche is the current name for fast flux DNS of phishing site hosting on large botnets, which involved many fraudulent domain name sign ups with unresponsive registrars worldw ide and spoofs of many brands. This large phishing organization (2006-2008) had been dubbed Rockphish due to the patterns found in folder names. At that time, the rockphish group was quite successful in stealing millions of dollars.

This newer group, now called Avalanche, uses similar techniques to that of the Rockphish. The Avalanche group is also making use of the ZeuS botnet to steal banking information from users who download the malware they received via spam. Current ZeuS botnet statistics found online can be found on the ZeuS Botnet Tracker.

According to the APWG report, compromised phishing attacks are still very plentiful, and tend to stay online longer than the lifespan of the fast flux Avalanche botnet phishing sites.

It is very hard to say if the groups behind this large phishing enterprise will be caught and prosecuted, but at the time of this post, their activity appears to be still going strong based on the reports referenced here by APWG. It is worth noting that continued international cooperation amongst law enforcement, private industry, independent researchers, academics and governments against cybercrime is truly a must to stem the problem of cybercrime in general. Other efforts matter as well, but international cooperation is probably the most important aspect to fighting online crime. International efforts such as APWG are commendable.

Selected Media References:

Ars Technica:  Phishing servers being killed off faster than ever

Network World: Worst phishing menace may be prepping more dangerous version of itself

In the latest news, on 6th April, 2010, 70 people were arrested in Romania for phishing and other Internet related fraud. The arrests which were undertaken by the Directorate for the Investigation of Organized Crime in Romania, together with police officers, and followed by over 90 searches issued by prosecutors (Article in Romanian by DIICOT).

Update: 4/12/10 Current time zone: EEST 12:11 AM

The Internet Scammers blog which broke the story earlier last week in English has updated the names of some 34 of these Romanian scammers who engaged in eBay, 419 and other auction fraud  a form of (advance fee fraud – AFF). The source of the story in Romanian is  Romanian Masura Media. which was posted on the 8th of April 2010.

The rough translation into English via Google is here as kindly provided by the writer at the Internet Scammers blog.  According to the translation into the English with the aid of the FBI, DDICOT, and other law enforcement agencies, according to investigators since 2006, the three organized criminal groups have acted in several countries  including: Spain, Italy, France, New Zealand, Denmark, Sweden, Germany, Austria, USA, Canada, and Switzerland. They were organizing fraudulent auctions through the Internet. … There could be up to 250 people involved in three separate criminal groups.

Backstory in Clamping down on Romanian Cybercrime

In more recent years, there has been more success by various law enforcement agencies to arrest Romanian-based cybercriminals. Romanian officials have been working harder with international law enforcement to make these arrests possible. Romanian Prosecutor-General Laura Codruta Kövesi was noted as a McAfee Cybercrime Fighter Award Winner in 2008. These recent successes of arrests are worth definitely noting, so that more cybercriminals are eventually caught in other countries in part to more increased government cooperation with international law enforcement, in other nations nearby such as Russia, Estonia, Ukraine, and some other East European nations.

Romanian Flag

Romania has had a strong presence or digital footprint online for well over a decade now as compared to some other countries of its size. Romania has around 22 million people and ranks as the 51th most populated country in the world according to the CIA Factbook. Romania’s presence online in terms of users and that of Internet IP hosts does outranks many other countries relative to its size and outranks some larger countries as well who are not as wired in general. Romania has an active hacker community and Romanians are well represented on IRC (Instant Relay Chat).

Since breaking away from the shackles of the Soviet Bloc in policy lead by the brutal dictator Nicolae Ceauşescu whose rule ended violently in 1989, Romania has gone through a lot of political transformation from a communist country to that of aligning itself more with Western Europe and the United States for the past 2 decades. Romania joined NATO since 2004 has been in the European Union since 2007. For more about Romania’s geopolitical history as former Soviet Satellite, check out its English-language Wikipedia entry.

While Broadband penetration study for European countries in percentage amongst Romanians is not ranked very high (24%) according to Tech Crunchies, the average Romanian enjoys a very high speed on the Internet  as ranked with those from other countries: Ranked #4 in the Top 10 with 6.2 Mbps. (Download Speeds of Megabits per Second).

Romanians have been involved in cybercrime in larger numbers for at least a decade now which is quite a longtime for the average lifespan of any particular online activity. For several years now, Romania has had a tarnished reputation similar to those cybercriminal reputations of much larger countries such as Nigeria, Brazil, Russia, China and the United States.

70 Romanians Arrested in April 2010

Despite these facts, there have been recent arrests of large numbers of cybercriminals in Romania in the past few years. We  are highlighting the most recent arrest of 70 people arrested in Romania on April 6th, 2010 which was first posted on Internet Scammers blog in English. We will post more details as they come available.

Spamhaus Blocklists large swaths of Romanian ISP EuroWeb.RO:

In early April 2010, Spamhaus blocklisted large IP ranges of this Romanian ISP: Euroweb.ro for hosting botnet and various cybercrime enterprises with the latest name Powerhost.ro. Due to the recent blocklistings, it would be a good guess this provider will get rid of these blackhat accounts. The downstream which is causing these listings is called Powerhost.ro. At the time of this posting, there were 7 active SBLs for Euroweb.ro

The most recent listings are:

07-Apr-2010 to  11-Apr-2010 Listed on SBL
SBL88578 77.81.192.0/19    euroweb.ro
SBL88577   86.55.96.0/23     euroweb.ro
SBL88576   86.55.206.0/23    euroweb.ro
SBL88575   89.114.9.0/24     euroweb.ro
SBL88572  188.213.128.0/20    euroweb.ro
SBL88571  188.213.96.0/20   euroweb.ro
SBL88570   86.55.210.0/23   euroweb.ro

The /19 listing is over 8000 IP addresses. The smallest netblock is /24 which is 256 IP addresses.  A few details to note below from the SBL88578 :

SBL88578
77.81.192.0/19     euroweb.ro
07-Apr-2010 01:21 GMT
Botnet/cybercrime spammer hosting: powerhost.ro

AS6663 EUROWEBRO
AS38913 Enter-Net-Team-AS
AS31571 ALtNet Bucharest, ROMANIA

Notable External Links for Further Reading / Information:

There have been several recent arrests of cybercriminals in Romania over the past few years. Below are some recent highlights:

Informational Blogs to Video Links:

Internet Scammers: 70 Romanians Arrested on 6th of April 2010

CyberCrime & Doing Time: 70 Romanian Phishers & Fraudsters Arrested

Video:

YouTube: Safe Internet – Romanian Child Safety Commercial – (1 min)

Older News Stories – (incomplete)

2008: SC: Romanian cybercrime ring busted

2003: MSNBC: How Romania became a center of cybercrime

Other:

NirSoft: Romanian IP Ranges

ROTLD Registry: .RO rules for TLD usage

There are many ways a scammer poses as someone else to steal a victim’s money.  Advance Free Fraud scams take place anywhere the Internet is in use, not just to victims in the Western nations.  Usually the intended victim cashes a fraudulent check from an account whose information was stolen. Many of these scenarios start with endusers answering spam that appears in their inboxes. Typically in most cases the money mule (person who unwittingly commits a crime) is left holding the bag by being responsible for the amount on the stolen check they had received.

These scams take place in many countries, from South Africa, to the UK, United States, Japan, Germany, and other nations.  Fraudsters catch their intended victims by other means such as posting ads on Craigslist, answering for sale ads, taking over eBay accounts that were phished, and posting elsewhere online where people want to buy and sell things. Also people (male or female) looking for dates online have been swindled many times in what is called sweetheart scams. The sweetheart scams haven going on for quite sometime; note this 2005 MSN article.  Scammers also hack into people’s email accounts and send spam saying they are stranded overseas and need money after being robbed.  Now with the popularity of social networking sites such as Facebook and Twitter, these fraudsters continue to dupe their victims after hacking into accounts and pretending to be the victim, asking for money.

For those not familiar with the term Advance Fee Fraud, check out this definition according to the Wikipedia:

An advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain.[1] Among the variations on this type of scam, are the Nigerian Letter (also called the 419 fraud, Nigerian scam, Nigerian bank scam, or Nigerian money offer[2]),[3] the Spanish Prisoner, the black money scam as well as Russian/Ukrainian scam (also extremely widespread, though far less popular than the former). The so-called Russian and Nigerian scams stand for wholly dissimilar organised-crime traditions; they therefore tend to use altogether different breeds of approaches.

The Nigerian letter scam is probably the most well known of the advance fee fraud scams. There are organizations with devoted volunteers who actively combat these crimes. AA419 for example, reports fraudulent advance fee fraud domains to webhosts, and registrars for take-downs. Another website which documents and reports online fraud is Bobbear.co.uk.

The Main Difference between Phishers and Advance Fee Fraudsters

There are many  methods to defraud victims online, from fake eBay auctions, to scam job opportunity scams. Another website dedicated to job fraud is PhishBucket.  These types of scams are a bit different from phishing scams where fraudsters use spam to spoof financial institutions such as banks in order to steal the victim’s username and password in order to steal money from the victim’s banking account.  The main difference is phishers are spoofing an actual company that exists while the run of the mill job scammers simply create fraudulent shell companies or purchase fraudulent domain names with dummy company information listed.

Advance Fee Fraud Victims

Many people ware of this problem tend to think that victims are internet newbies.  Many people who have fallen for these online scams have been retired professors, lawyers and other professionals.

The way for people to avoid online scams is to think about this old adage which is somewhat paraphrased: “if something is too good to be true, then it probably is.”

The rankings posted on Spamhaus is one example where one may guage online fraudulent activity. Take a look at the top 10 SBL offenders by country.  The United States is way ahead with over 2000 current SBLs. China is in a distant 2nd place.

Below lists the top 3 as of 2/24/2010.

As at 24 February 2010 the world’s worst Spam Haven countries for production and export of spam are:

Another gage to use is reported malware websites by ASN, found here on Malicious Networks.  14 out of the 20 ISPs listed are in the United States. This should be of very big concern to all of us. Hosters in the US and elsewhere need to be more proactive in taking down activity deemed as malicious. Webhosting and other organizations with large online content also need to secure their servers better and try to put more measures in minimizing fraudulent signups of accounts.

Spamhaus: The 10 Worst Spam Support ISPs
As at 17 January 2010 the ISPs with the poorest abuse control of spammers are:

Rank / SBL #  ISP domain / ASN / URL
1. 95 telefonica.es AS3352 / http://www.telefonica.es/
2. 64 ovh.net  AS16276 / http://ovh.net/
3. 59 telefonica.com.ar AS22185 /  http://www.telefonica.com.ar/
4. 46 tiscali.it AS3257 /  http://www.tiscali.it/
5. 44 xo.com AS2828 /  http://www.xo.com/
6. 38 integratelecom.com AS7385 / http://integratelecom.com/
7. 38 charter.com AS20115 / http://www.charter.com/
8. 38 ono.com AS6739 / http://www.ono.es/
9. 35 verizon.com AS19262 / http://www.verizon.com/
10. 34 telecom.com.ar AS7303 / http://www.telecom.com.ar/

Many SBLs of telefonica.es (Telefonica de Espana, AS3352, netname: RIMA ) are /32 (1 IP address) blacklistings with lots of ROKSO Canadian Pharmacy listings. Many of the Telefonica.es SBLs were added from October to December 2009. ROKSO is a list compiled by Spamhaus of the worst spamming organizations. ROKSO stands for Registry of Known Spam Operatives.

While Second ranking OVH’s listings are /32 as well, not so many current SBLs are those of ROKSO spammers. OVH.net offers both dedicated and shared hosting; unfortunately, spammers are attracted to either one. OVH.net was noted as the Worst Offending ISP on this blog back in December 2009. The good news about OVH is that it appears the admins are working on riding its network of spammers. Telefonica.com.ar is in 3rd place with 59 SBLs has larger blocklistings, such as numerous /24 which are 256 IP addresses. The ROKSO spammer’s listings on tiscali.it is  Fabio Petta – Jnternet.

One note about this top 10 list is the number of Spanish-speaking ISPs. For example: telefonica.es and ono.com / ono.es are located in Spain, while Argentina is represented by telefonica.com.ar and telecom.com.ar. Telefónica explains on its website that it is one of the largest telecommunications companies by market (Spain, Europe and Latin America).

The 2 other Euoropean-based ISPs are OVH of France and Tiscali.it in Italy. The 4 US-based providers on the Spamhaus Block List are:  XO, Charter, Integra Telecom and Verizon.  XO.com is a large  Tier-2 NSP (network service provider), while Integra Telecom is a regional ISP in the midwest and western US states, and Charter is a regional ISP.  Verizon (made up of Baby Bell companies) as an ISP is offered in most markets in the US. Verizon is also a leading wireless cell phone provider.

Spamhaus’ SBL ranking is based on Spamhaus own research of spam and so the list has its own limitations.  Among the reasons: ISPs have to contact Spamhaus to get their SBLs removed, so the SBL list is a manual process, and not automated like CBL.

If a researcher wants to know more volumes of ISP spam emiters, one can use other online tools available such as Spamcop’s list by hostname/ IP. Though much smaller in scope than Spamcop, German Powerweb’s DNSBL.de has a top 20 providers list on its main page by spam volume based on the ASN (Autonomous System Number) which is used to identify a network by the Internet Protocol addresses authorities.

Where is Tactara located?

Spamhaus indicates this Tactara operation is out of Wyoming in the United States. These groups have set up shell companies in Wyoming, Nevada, and some other US states. Another name Tactara has used is Webzero when it created its company name in Wyoming in 2006. Tactara has engaged in various forms of snowshoe spamming, which is spamming from many IPs and netblocks in order to evade blacklists. As typical with snowshoe spamming operations, Tactara has used many anonymized domains for spam emitting, spamvertizing and nameservers. Based on the ARIN Allocations from 11/2009 in the ROKSO listing, the Tactara group has operated out of  colocated data centers in the area of Los Angeles, California.  Tactara’s website says its offices are in Los Angeles.

Below is a partial ARIN record of Tactara that was active as of December 2009. Note the ASN is:  AS18687 which is listed under MPower Communications.

CustName:   Tactara
Address:    550 S Hope St. Suite 2825
City:       LOS ANGELES
StateProv:  CA
PostalCode: 90017
Country:    US
RegDate:    2009-09-11
Updated:    2009-09-11
NetRange:   208.57.149.224 - 208.57.149.231
CIDR:       208.57.149.224/29
OriginAS:   AS18687
NetName:    TACTARA
NetHandle:  NET-208-57-149-224-1
Parent:     NET-208-57-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2009-09-11
Updated:    2009-09-11

RTechHandle: ZM147-ARIN
RTechName:   MPOWER COMMUNICATIONS CORP
RTechPhone:  +1-702-310-4578
RTechEmail:  ip-mgmt@mpowercom.net 

OrgAbuseHandle: MIAA-ARIN
OrgAbuseName:   Mpower IP Abuse Administrator
OrgAbusePhone:  +1-877-642-4375
OrgAbuseEmail:  ip-abuse@mpowercom.net

OrgTechHandle: MITA-ARIN
OrgTechName:   Mpower IP Technical Administrator
OrgTechPhone:  +1-702-310-4578
OrgTechEmail:  ip-mgmt@mpowercom.net

# ARIN WHOIS database, last updated 2009-12-11 20:

According to Spamhaus, this group pretends to be ISP brokers and lease out space to customer mostly in /24 blocks in leasing from colocation providers.  The addresses of these numerous shell companies are usually drop mail boxes at UPS stores located in Wyoming or Delaware. Most of the IPs within these blocks of Tactara then have a landing page with a simple unsubscribe page on them.

Snowshoe and Spamhaus CSS

In October 2009, Spamhaus recently launched its CSS service to ferret out snoeshow spamming operations in an automated manner.  So as Spamhaus has mentioned specifically in its recent blog entry from 12/09, many ISPs are taking immediate action due to the SBLs by terminating snowshoe spamming accounts.

Tactara and a Patent

As already noted by Spam Diaries, Tactara LLC even applied for a patent for its particular type of snowshoe spamming. On its website, Tactara also makes an apparent false claim to be a member of MAAWG (Messaging Anti-Abuse Working Group).

Here is a screenshot of that list on Spamhaus as of December 5th, 2009.

Also, note. The list below as of 12/5/09.
1. ovh.net  AS16276 = 77 SBLs
2. telefonica.es AS3352 = 59 SBLs
3. xo.com AS2828 = 48 SBLs
4. tiscali.it  AS3257 = 43 SBLs
5. mzima.net AS46562 = 38 SBLs
6. internap.com AS11855 = 37 SBLs
7. telefonica.com.ar  AS22927 = 37 SBLs
8. ttnet.net.tr AS9121 = 34 SBLs
9. ono.com as6739  = 33  SBLs
10. interbusiness.it  = 29 SBLs

Since about 10:45 Eastern Time on Monday, November 16th, 2009, IBR’s forums are once again offline.

We will give you more details as they become available. It seems that spammers are definitely still very angry with the content posted on IBR.

We will continue to spread information online via various twitter accounts, blogs, and other websites about collecting information which leads to shutting down illegal spammer operations. Attacks such as this one and others do not stop our efforts as we continue to report spamming operations.

As a reminder, check out our other websites online for updates:

Twitter: http://twitter.com/inboxrevenge
Other blogs:

http://garwarner.blogspot.com/

http://inboxrevenge.blogspot.com

http://inboxrevenge.spaces.live.com

Wiki:

http://spamtrackers.org

Please note: that SiL also has his two blogs, which also accept moderated comments:
http://ikillspammers.blogspot.com

http://spamitmustfall.blogspot.com

Munged URL:

hxxp://phone.codmanacademy.org/home/polycom/.redirecting.titolari.cartasi.it.portal.server.pt.acceso.reg.recupero.gateway.nome.utente.o.password.se.hai.dimenticato/

URL was already reported to Netcraft and Phishtank.