They have done so with
great success, as we demonstrated by showing you some of the attacker’s self-shared
screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles
spreading phishing links and hunting some more connected infrastructure to that
specific campaign.
Since our last update on the matter,
we’ve continued to monitor this group’s activity, passing along our findings to
relevant parties. However, in the process of studying this group, we’ve also discovered
a secondary set of the Indonesian spamming community in addition to the already
identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly
different tools and techniques, but stays true to the identical core of collective
financial scamming efforts which we've previously written about.
SendInbox
While we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us. When we took a look at what "Sendinbox" was - we saw that it was a PHP tool based on the popular PHPMailer library. After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.
BMarket ID
"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]php
A close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.
Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.
Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.
Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent warning post about some rippers that recently tried to do business with him on Telegram:
An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users. |
This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.
Successfully harvested credentials received in an attacker's email.
Conclusions
Traditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users.
The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.
In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this.
Twitter handles connected to this group:
https://twitter.com/belajargila3
https://twitter.com/nawalbelh
https://twitter.com/johanes95826552
https://twitter.com/jancoek14
https://twitter.com/rohmatizud
https://twitter.com/Ongki54705384
https://twitter.com/test19259665
https://twitter.com/wibowoandy14
https://twitter.com/baringinasido
https://twitter.com/PnatekM
https://twitter.com/bambangkou
https://twitter.com/Bajungan1
https://twitter.com/dzakialvriano1
https://twitter.com/bastian55115067
https://twitter.com/pea_sang
https://twitter.com/yusupmuhammad23
https://twitter.com/akibernad
https://twitter.com/XCrow8
https://twitter.com/backes_oswald
https://twitter.com/kontolklean
https://twitter.com/AHarsakti
Phishing Domains:
manageaccountclient[.]com
appleid.apple.com.login.contact-support[.]email
anakperawan[.]business
id.apple.com-en.manage.trying-verif[.]net
panca-sakti.ac.id/wp-plugin[.]php
pymntspprtverifycnt.webhop[.]me
app-idnscj-34[.]com/?16shop
updatepaymentslockaccountsprimarry.promisetcechprofile[.]com/?desacoli/?manage
updatepaymentprifleyouraccounts.aenjay[.]com/?selimutbiru
home-pavypal.com-acknowledge[.]info
kontol.jepat.cgi-account-notification[.]ga
login-appleitunesap.servehttp[.]com
itunes-storeapple.servehttp[.]com
appleservicess-comfrimation[.]com
amazon-service-server.usa[.]cc
paypal-resolved-limited-com-ah581h8gda87weg9i8tacyuabwe.intoleratne[.]com
secure-apple.com.webapps-support-account[.]com
appleid-apple.comsign-id[.]gq
maintenance-servicesupport[.]com
secure-apple.com.maintenance-servicesupport[.]com
paypal.com-webs.app-logininformation.trying-verif[.]info
webapps-support-account[.]com
account-reportsummaryid[.]com
accountlimitedrecovery[.]com
subscription-accept[.]com
support.apple-verification.com.kuinginmencintainyatapiadaorangkedua12[.]org
accountinformationappupdate[.]ga
security-account-appleid-apple[.]com
appidaccountlaert-helpmanageupdate[.]com
paypal.com-useraccess.rabiverivcationc[.]com
payment-appleid-apple[.]store
appidaccountalert-manageupdateinfo[.]com
manage-accountv-apple[.]com
162.144.52.238
35.199.147.246
142.93.86.114
192.163.201.156
Used Mailing Infrastructure:
www.ingemetal[.]com[.]ve/sendinbox-server.php
kamullflauge[.]com/mailer/sendinbox.php
bondiicerink[.]starsonice[.]com[.]au/tickets/sendinbox-server[.]php
bmarket[.]or[.]id/sendinbox-server[.]php
bbsp[.]co[.]id/sendinbox-server[.]php
thealmondslices[.]com/wp-content/plugins/simple/sendinbox-server[.]php
www.bang-pa[.]com/sendinbox-server[.]php
www.ingemetal[.]com[.]ve/sendinbox-server.php
http://ts666[.]tw/cgi-bin/wp-back.php
http://xn--uis74a0us56agwen8q[.]tw/cgi-bin/wp-back.php
http://xn--uis76c70xigmku7b[.]tw/cgi-bin/wp-back.php
http://ts886[.]net/cgi-bin/wp-back.php
http://xn--uisz5ba41c994d[.]com/cgi-bin/wp-back.php
http://ts5588[.]in/cgi-bin/wp-back.php
https://e-riset.litbang.kemkes[.]go[.]id/red.php?ID
transzach[.]com
khatlon[.]tj
pbonline[.]net
suppoters-values[.]flights
thealmondslices[.]com
portaldosurdo[.]com
lagacetadelporno[.]com
kubotalubbock[.]net
devsaad[.]com
pbonline[.]net
suppoters-values[.]flights
thealmondslices[.]com
portaldosurdo[.]com
lagacetadelporno[.]com
kubotalubbock[.]net
devsaad[.]com
ace-academy[.]org
justessex[.]co[.]uk
mothermyrle[.]com
dclmhub[.]org
mothermyrle[.]com
dclmhub[.]org
soriko[.]bg
dasgpi[.]edu[.]bd
polresku[.]id
app.sycamoreschool[.]com
dasgpi[.]edu[.]bd
polresku[.]id
app.sycamoreschool[.]com
231.100.76.32
37.59.28.24
45.64.1.58
43.250.250.62
50.87.249.80
79.124.76.95
95.142.80.3
103.15.226.230
103.247.11.50
104.20.155.77
104.238.117.234
108.167.180.222
162.241.230.74
162.241.217.60
186.202.153.58
173.236.169.164
182.70.240.119
192.95.11.64
192.163.208.222
132.148.154.122
205.178.189.131
202.70.136.137
204.197.252.169
217.182.113.29
Compromised Websites Shared By the Group:
countdown-showband[.]de//images/jsspwneed.png
http://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.png
http://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.png
http://www.argonrostov[.]ru//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.gammi-ltd[.]ru//images/jsspwneed.php
http://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://syaden[.]net//images/jdownloads/screenshots/jsspwned.png
http://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.php
mail.kingacreative[.]com|info@kingacreative.com|123123
http://www.aytobareyo[.]org/sites/default/files/jsspwnx.php
http://www.technikus[.]pl//images/jsspwneed.php
http://devsaad[.]com/sites/default/files/jsspwnx.php
http://certusprocess[.]com//images/jsspwned.php
http://www.limontech[.]pl//images/jsspwneed.php
http://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php
*Currently unconfirmed if being used by the group.
ReplyDeletehi bro i am a member of the id spammer group ... your article is so good h3h3h3