Spam and online scams have been causing headaches since the dawn of the Web. Historically, most spammers bought or rented servers from black market providers like xDedic, the cybercriminal trading platform currently notable as the subject of an extensive exposé published by Kaspersky Labs, to target banking, dating, gambling and shopping sites as well as ad networks. However, because criminal economics is a live ecosystem that reacts to market needs, malware-as-a-service, ransomware-as-a-service, and exploit-kit-as-a-service models are changing that ecosystem while spammers and scammers are changing their day-to-day routines in an effort to attract more customers.

In this post, we’ll examine one scam campaign recently detected by OpenDNS that targets adult, gambling, and dating websites.

Detection

The initial discovery was done with NLP rank classifier. Most of the detected domains seemed to serve MiktoTik RouterOS login page.

Screen Shot 2016-08-01 at 1.34.16 PM

This group’s main focus is dating spam that drives traffic to fake dating services which collect personal information and typically require credit card information for registration. Current pricing varies from $1-$3 per 1000 emails.

Investigation

Locating actual emails delivered by this campaign required some digging, and we were lucky enough to get one of them:

Screen Shot 2016-07-15 at 10.44.32 AM

Received email and link in it

Screen Shot 2016-07-15 at 2.20.20 PM

Http response headers

Screen Shot 2016-07-15 at 2.24.25 PM

Website to which users are redirected

Domain serving redirected to mpodosaki[.]swingproject[.]eu which was compromised and injected with the malicious pjtxt[.]php file. This domain is still using a vulnerable version of Joomla, which is most likely how it became compromised in the first place.

Screen Shot 2016-07-29 at 10.45.21 AM

Actors 

Further investigation of the campaign led us to discover its actors and infrastructure. Because the majority of the campaign’s dedicated for scam domains are registered under two accounts (fisher9006@rambler.ru and toleinik_viktor@lenta.ru), we can identify those users as primary actors.

Screen Shot 2016-07-18 at 12.47.53 PM Screen Shot 2016-07-18 at 12.44.39 PM

Most of them have very low traffic and don’t resolve to any IP, which indicates that they might be used later. Here is a domain that’s been actively involved in the campaign since July 12th:

Screen Shot 2016-08-01 at 1.19.36 PM

And here is a domain active between June 16th and July 27th:

Screen Shot 2016-08-01 at 1.22.58 PM

With newer domains, the actors started using Whois privacy protection and obfuscation. But, if we look at the naming patterns of the subdomains, the similarity is obvious: Screen Shot 2016-08-01 at 1.27.14 PMScreen Shot 2016-08-01 at 1.26.40 PM

In this case, planet-dating-74[.]com is a dedicated second level domain name (2LD) for this dating spam campaign. It was registered on June 13, 2016, and the subdomain is used for spam. The fact that both the 2LD domain and subdomain resolved to different IPs seems to be a defense against IP blocking.

outlookern[.]planet-dating-74[.]com resolves to 213.147.140.17

planet-dating-74[.]com hosted on 5.8.32.74

Results

With these findings, we can conclude that this spam scheme is organized as below:

Screen Shot 2016-08-02 at 10.55.19 AM

We were able to identify 35 compromised routers total. We can determine the difference between dedicated and compromised infrastructure with a quick nmap scan, in which we see that dedicated IPs have port 25 open (for email spam) and compromised IPs have only port 80 open (serving http injections).

Screen Shot 2016-08-01 at 1.56.18 PM

Dedicated name server for domains

Screen Shot 2016-08-01 at 1.56.33 PM

Compromised device

Even though mail[.]izlenimyapi[.]com is listed as a mail server, we can see that port 25 is closed. In this case, dedicated domains will point to the IP that would not be blocked even if all of the  subdomains impersonating mail servers would, since all of them point to different compromised IPs. Thus, once again we prove that malicious actors are well aware of common web filters and protection mechanisms.

In mapping compromised IPs to their geo locations, we see that the devices are broadly spread. We were also able to identify a whole range of OS versions without any of them prevailing. We concluded that compromised devices were not exploited with a specific vulnerability (unless there is a zero-day for any Mikrotik Router OS) but were instead exploited with the help of bruteforcing software that was used on a large scale.

Screen Shot 2016-08-01 at 2.04.14 PM

Geolocations of compromised devices with RouterOS

Currently there are two products with this functionality available on black market:

  • Router Scan by Stas’M, which is able to find, identify, and cull useful information from a variety of devices from among large number of known routers
  • MKBRUTUS, a password bruteforcer for MikroTik devices or boxes running RouterOS

As for the scope of such a scan, we can make a fast query on Shodan, which reveals 1,124,859 Web-facing Mikrotik devices.

As a result of this research, we identified this campaign’s spam infrastructure and the malicious actors behind it. With a deeper dig into the research we’ve already acquired, we may be able to connect this campaign to other cybercrimes.

This post is categorized in: