• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Research

Identifying Scam Infrastructure

By Artsiom Holub
Posted on August 5, 2016
Updated on July 24, 2020

Share

Facebook0Tweet0LinkedIn0

Spam and online scams have been causing headaches since the dawn of the Web. Historically, most spammers bought or rented servers from black market providers like xDedic, the cybercriminal trading platform currently notable as the subject of an extensive exposé published by Kaspersky Labs, to target banking, dating, gambling and shopping sites as well as ad networks. However, because criminal economics is a live ecosystem that reacts to market needs, malware-as-a-service, ransomware-as-a-service, and exploit-kit-as-a-service models are changing that ecosystem while spammers and scammers are changing their day-to-day routines in an effort to attract more customers.
In this post, we’ll examine one scam campaign recently detected by OpenDNS that targets adult, gambling, and dating websites.
Detection
The initial discovery was done with NLP rank classifier. Most of the detected domains seemed to serve MiktoTik RouterOS login page.
Screen Shot 2016-08-01 at 1.34.16 PM
This group’s main focus is dating spam that drives traffic to fake dating services which collect personal information and typically require credit card information for registration. Current pricing varies from $1-$3 per 1000 emails.
Investigation
Locating actual emails delivered by this campaign required some digging, and we were lucky enough to get one of them:

Screen Shot 2016-07-15 at 10.44.32 AM
Received email and link in it
Screen Shot 2016-07-15 at 2.20.20 PM
Http response headers
Screen Shot 2016-07-15 at 2.24.25 PM
Website to which users are redirected

Domain serving redirected to mpodosaki[.]swingproject[.]eu which was compromised and injected with the malicious pjtxt[.]php file. This domain is still using a vulnerable version of Joomla, which is most likely how it became compromised in the first place.
Screen Shot 2016-07-29 at 10.45.21 AM
Actors 
Further investigation of the campaign led us to discover its actors and infrastructure. Because the majority of the campaign’s dedicated for scam domains are registered under two accounts (fisher9006@rambler.ru and toleinik_viktor@lenta.ru), we can identify those users as primary actors.
Screen Shot 2016-07-18 at 12.47.53 PM Screen Shot 2016-07-18 at 12.44.39 PM
Most of them have very low traffic and don’t resolve to any IP, which indicates that they might be used later. Here is a domain that’s been actively involved in the campaign since July 12th:
Screen Shot 2016-08-01 at 1.19.36 PM
And here is a domain active between June 16th and July 27th:
Screen Shot 2016-08-01 at 1.22.58 PM
With newer domains, the actors started using Whois privacy protection and obfuscation. But, if we look at the naming patterns of the subdomains, the similarity is obvious: Screen Shot 2016-08-01 at 1.27.14 PMScreen Shot 2016-08-01 at 1.26.40 PM
In this case, planet-dating-74[.]com is a dedicated second level domain name (2LD) for this dating spam campaign. It was registered on June 13, 2016, and the subdomain is used for spam. The fact that both the 2LD domain and subdomain resolved to different IPs seems to be a defense against IP blocking.
outlookern[.]planet-dating-74[.]com resolves to 213.147.140.17
planet-dating-74[.]com hosted on 5.8.32.74
Results
With these findings, we can conclude that this spam scheme is organized as below:
Screen Shot 2016-08-02 at 10.55.19 AM
We were able to identify 35 compromised routers total. We can determine the difference between dedicated and compromised infrastructure with a quick nmap scan, in which we see that dedicated IPs have port 25 open (for email spam) and compromised IPs have only port 80 open (serving http injections).
Screen Shot 2016-08-01 at 1.56.18 PM
Dedicated name server for domains

Screen Shot 2016-08-01 at 1.56.33 PM
Compromised device

Even though mail[.]izlenimyapi[.]com is listed as a mail server, we can see that port 25 is closed. In this case, dedicated domains will point to the IP that would not be blocked even if all of the  subdomains impersonating mail servers would, since all of them point to different compromised IPs. Thus, once again we prove that malicious actors are well aware of common web filters and protection mechanisms.
In mapping compromised IPs to their geo locations, we see that the devices are broadly spread. We were also able to identify a whole range of OS versions without any of them prevailing. We concluded that compromised devices were not exploited with a specific vulnerability (unless there is a zero-day for any Mikrotik Router OS) but were instead exploited with the help of bruteforcing software that was used on a large scale.

Screen Shot 2016-08-01 at 2.04.14 PM
Geolocations of compromised devices with RouterOS

Currently there are two products with this functionality available on black market:

  • Router Scan by Stas’M, which is able to find, identify, and cull useful information from a variety of devices from among large number of known routers
  • MKBRUTUS, a password bruteforcer for MikroTik devices or boxes running RouterOS

As for the scope of such a scan, we can make a fast query on Shodan, which reveals 1,124,859 Web-facing Mikrotik devices.
As a result of this research, we identified this campaign’s spam infrastructure and the malicious actors behind it. With a deeper dig into the research we’ve already acquired, we may be able to connect this campaign to other cybercrimes.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella