Indonesian Spam Communities

In our last post we tried to shed some light at what seemed to appear as a very common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. When we investigated that single email, we were actually able to discover a wide ranging spam group originating from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian group was targeting various well-known companies’ customer base by mass sending phishing emails via uniquely identifiable Twitter shortened URL redirections. 

They have done so with great success, as we demonstrated by showing you some of the attacker’s self-shared screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles spreading phishing links and hunting some more connected infrastructure to that specific campaign.

Since our last update on the matter, we’ve continued to monitor this group’s activity, passing along our findings to relevant parties. However, in the process of studying this group, we’ve also discovered a secondary set of the Indonesian spamming community in addition to the already identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly different tools and techniques, but stays true to the identical core of collective financial scamming efforts which we've previously written about.

SendInbox
While we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us. When we took a look at what "Sendinbox" was -  we saw that it was a PHP tool based on the popular PHPMailer library.  After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.

As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers. 

BMarket ID
"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]php

A close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.  

Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.

Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.

Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.

Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent  warning post about some rippers that recently tried to do business with him on Telegram:

Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US. 

An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users. 

We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:

This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.

Successfully harvested credentials received in an attacker's email.

We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that. 

Conclusions
Traditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users. 
The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.
In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this. 

IOCs

Twitter handles connected to this group:
https://twitter.com/belajargila3
https://twitter.com/nawalbelh
https://twitter.com/johanes95826552
https://twitter.com/jancoek14
https://twitter.com/rohmatizud
https://twitter.com/Ongki54705384
https://twitter.com/test19259665
https://twitter.com/wibowoandy14
https://twitter.com/baringinasido
https://twitter.com/PnatekM
https://twitter.com/bambangkou
https://twitter.com/Bajungan1
https://twitter.com/dzakialvriano1
https://twitter.com/bastian55115067
https://twitter.com/pea_sang
https://twitter.com/yusupmuhammad23
https://twitter.com/akibernad
https://twitter.com/XCrow8
https://twitter.com/backes_oswald
https://twitter.com/kontolklean
https://twitter.com/AHarsakti

Phishing Domains:
manageaccountclient[.]com
appleid.apple.com.login.contact-support[.]email
anakperawan[.]business
id.apple.com-en.manage.trying-verif[.]net
panca-sakti.ac.id/wp-plugin[.]php
pymntspprtverifycnt.webhop[.]me
app-idnscj-34[.]com/?16shop
updatepaymentslockaccountsprimarry.promisetcechprofile[.]com/?desacoli/?manage 

updatepaymentprifleyouraccounts.aenjay[.]com/?selimutbiru
home-pavypal.com-acknowledge[.]info
kontol.jepat.cgi-account-notification[.]ga
login-appleitunesap.servehttp[.]com
itunes-storeapple.servehttp[.]com
appleservicess-comfrimation[.]com
amazon-service-server.usa[.]cc
paypal-resolved-limited-com-ah581h8gda87weg9i8tacyuabwe.intoleratne[.]com
secure-apple.com.webapps-support-account[.]com
appleid-apple.comsign-id[.]gq
maintenance-servicesupport[.]com
secure-apple.com.maintenance-servicesupport[.]com
paypal.com-webs.app-logininformation.trying-verif[.]info
webapps-support-account[.]com
account-reportsummaryid[.]com
accountlimitedrecovery[.]com
subscription-accept[.]com
support.apple-verification.com.kuinginmencintainyatapiadaorangkedua12[.]org
accountinformationappupdate[.]ga
security-account-appleid-apple[.]com
appidaccountlaert-helpmanageupdate[.]com
paypal.com-useraccess.rabiverivcationc[.]com
payment-appleid-apple[.]store
appidaccountalert-manageupdateinfo[.]com
manage-accountv-apple[.]com
162.144.52.238
35.199.147.246
142.93.86.114
192.163.201.156

Used Mailing Infrastructure:
www.ingemetal[.]com[.]ve/sendinbox-server.php
kamullflauge[.]com/mailer/sendinbox.php
bondiicerink[.]starsonice[.]com[.]au/tickets/sendinbox-server[.]php 
bmarket[.]or[.]id/sendinbox-server[.]php
bbsp[.]co[.]id/sendinbox-server[.]php 
thealmondslices[.]com/wp-content/plugins/simple/sendinbox-server[.]php
www.bang-pa[.]com/sendinbox-server[.]php
www.ingemetal[.]com[.]ve/sendinbox-server.php
http://ts666[.]tw/cgi-bin/wp-back.php
http://xn--uis74a0us56agwen8q[.]tw/cgi-bin/wp-back.php
http://xn--uis76c70xigmku7b[.]tw/cgi-bin/wp-back.php
http://ts886[.]net/cgi-bin/wp-back.php
http://xn--uisz5ba41c994d[.]com/cgi-bin/wp-back.php
http://ts5588[.]in/cgi-bin/wp-back.php
https://e-riset.litbang.kemkes[.]go[.]id/red.php?ID

transzach[.]com

khatlon[.]tj
pbonline[.]net
suppoters-values[.]flights
thealmondslices[.]com
portaldosurdo[.]com
lagacetadelporno[.]com
kubotalubbock[.]net
devsaad[.]com

ace-academy[.]org

justessex[.]co[.]uk
mothermyrle[.]com
dclmhub[.]org

soriko[.]bg
dasgpi[.]edu[.]bd
polresku[.]id
app.sycamoreschool[.]com

61.19.251.44
231.100.76.32
37.59.28.24
45.64.1.58
43.250.250.62
50.87.249.80
79.124.76.95
95.142.80.3
103.15.226.230
103.247.11.50
104.20.155.77
104.238.117.234
108.167.180.222
162.241.230.74
162.241.217.60
186.202.153.58
173.236.169.164
182.70.240.119
192.95.11.64
192.163.208.222
132.148.154.122
205.178.189.131
202.70.136.137
204.197.252.169
217.182.113.29

Compromised Websites Shared By the Group:
countdown-showband[.]de//images/jsspwneed.png
http://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.png
http://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.png
http://www.argonrostov[.]ru//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.gammi-ltd[.]ru//images/jsspwneed.php
http://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://syaden[.]net//images/jdownloads/screenshots/jsspwned.png
http://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.php
mail.kingacreative[.]com|info@kingacreative.com|123123
http://www.aytobareyo[.]org/sites/default/files/jsspwnx.php
http://www.technikus[.]pl//images/jsspwneed.php
http://devsaad[.]com/sites/default/files/jsspwnx.php
http://certusprocess[.]com//images/jsspwned.php
http://www.limontech[.]pl//images/jsspwneed.php
http://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php
*Currently unconfirmed if being used by the group.