• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Identifying Scam Infrastructure

Author avatar of Artsiom HolubArtsiom Holub
Updated — July 24, 2020 • 3 minute read
View blog >

Spam and online scams have been causing headaches since the dawn of the Web. Historically, most spammers bought or rented servers from black market providers like xDedic, the cybercriminal trading platform currently notable as the subject of an extensive exposé published by Kaspersky Labs, to target banking, dating, gambling and shopping sites as well as ad networks. However, because criminal economics is a live ecosystem that reacts to market needs, malware-as-a-service, ransomware-as-a-service, and exploit-kit-as-a-service models are changing that ecosystem while spammers and scammers are changing their day-to-day routines in an effort to attract more customers.
In this post, we’ll examine one scam campaign recently detected by OpenDNS that targets adult, gambling, and dating websites.
Detection
The initial discovery was done with NLP rank classifier. Most of the detected domains seemed to serve MiktoTik RouterOS login page.
Screen Shot 2016-08-01 at 1.34.16 PM
This group’s main focus is dating spam that drives traffic to fake dating services which collect personal information and typically require credit card information for registration. Current pricing varies from $1-$3 per 1000 emails.
Investigation
Locating actual emails delivered by this campaign required some digging, and we were lucky enough to get one of them:

Screen Shot 2016-07-15 at 10.44.32 AM
Received email and link in it
Screen Shot 2016-07-15 at 2.20.20 PM
Http response headers
Screen Shot 2016-07-15 at 2.24.25 PM
Website to which users are redirected

Domain serving redirected to mpodosaki[.]swingproject[.]eu which was compromised and injected with the malicious pjtxt[.]php file. This domain is still using a vulnerable version of Joomla, which is most likely how it became compromised in the first place.
Screen Shot 2016-07-29 at 10.45.21 AM
Actors 
Further investigation of the campaign led us to discover its actors and infrastructure. Because the majority of the campaign’s dedicated for scam domains are registered under two accounts (fisher9006@rambler.ru and toleinik_viktor@lenta.ru), we can identify those users as primary actors.
Screen Shot 2016-07-18 at 12.47.53 PM Screen Shot 2016-07-18 at 12.44.39 PM
Most of them have very low traffic and don’t resolve to any IP, which indicates that they might be used later. Here is a domain that’s been actively involved in the campaign since July 12th:
Screen Shot 2016-08-01 at 1.19.36 PM
And here is a domain active between June 16th and July 27th:
Screen Shot 2016-08-01 at 1.22.58 PM
With newer domains, the actors started using Whois privacy protection and obfuscation. But, if we look at the naming patterns of the subdomains, the similarity is obvious: Screen Shot 2016-08-01 at 1.27.14 PMScreen Shot 2016-08-01 at 1.26.40 PM
In this case, planet-dating-74[.]com is a dedicated second level domain name (2LD) for this dating spam campaign. It was registered on June 13, 2016, and the subdomain is used for spam. The fact that both the 2LD domain and subdomain resolved to different IPs seems to be a defense against IP blocking.
outlookern[.]planet-dating-74[.]com resolves to 213.147.140.17
planet-dating-74[.]com hosted on 5.8.32.74
Results
With these findings, we can conclude that this spam scheme is organized as below:
Screen Shot 2016-08-02 at 10.55.19 AM
We were able to identify 35 compromised routers total. We can determine the difference between dedicated and compromised infrastructure with a quick nmap scan, in which we see that dedicated IPs have port 25 open (for email spam) and compromised IPs have only port 80 open (serving http injections).
Screen Shot 2016-08-01 at 1.56.18 PM
Dedicated name server for domains

Screen Shot 2016-08-01 at 1.56.33 PM
Compromised device

Even though mail[.]izlenimyapi[.]com is listed as a mail server, we can see that port 25 is closed. In this case, dedicated domains will point to the IP that would not be blocked even if all of the  subdomains impersonating mail servers would, since all of them point to different compromised IPs. Thus, once again we prove that malicious actors are well aware of common web filters and protection mechanisms.
In mapping compromised IPs to their geo locations, we see that the devices are broadly spread. We were also able to identify a whole range of OS versions without any of them prevailing. We concluded that compromised devices were not exploited with a specific vulnerability (unless there is a zero-day for any Mikrotik Router OS) but were instead exploited with the help of bruteforcing software that was used on a large scale.

Screen Shot 2016-08-01 at 2.04.14 PM
Geolocations of compromised devices with RouterOS

Currently there are two products with this functionality available on black market:

  • Router Scan by Stas’M, which is able to find, identify, and cull useful information from a variety of devices from among large number of known routers
  • MKBRUTUS, a password bruteforcer for MikroTik devices or boxes running RouterOS

As for the scope of such a scan, we can make a fast query on Shodan, which reveals 1,124,859 Web-facing Mikrotik devices.
As a result of this research, we identified this campaign’s spam infrastructure and the malicious actors behind it. With a deeper dig into the research we’ve already acquired, we may be able to connect this campaign to other cybercrimes.

Suggested Blogs

  • Cloud Application Security – Risks, Questions, Insights, and Solutions July 1, 2021 3 minute read
  • Cisco Umbrella discovers evolving, complex cyberthreats in first half of 2020 August 18, 2020 6 minute read
  • New research shows consumers want cybersecurity from service providers July 7, 2020 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella