Breaking News

Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme

Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.

Catch up with previous research on the money mule recruitment problem:
In this post, I'll profile a novel money mule recruitment scheme, that involves high profit margins -- of course for the ones organizing the scheme -- through a direct, and most importantly, (pseudo) legal brand-jacking of a gullible business owner's brand name, enticing him/her into opening a merchant account for processing E-commerce transactions, coming from more gullible and socially engineered mules.

It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:

Sample email:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles

Necessary conditions:
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings

In case if being interested, please provide:
-  Name and Surname - Age - Telephone number (including country code) - City and Country - Email

Please answer to: NAME@googleapp-consult.com

Faithfully yours,
HR dept


Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."

Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?

However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.

Sample reply email:
Thank you for your reply.

We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).

We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.

We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.

Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.

All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
 

Yours sincerely,

Michael Torti
General Manager
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287


Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.






Sample About Us description:
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.

We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.

The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.


Contact details:
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Skype: ecofin2013
Suite 4, 209 Main Street
Gibraltar GBZ 1AA


A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.

Please review the showcase website:

This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).

The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.


Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 50.63.39.1):




Sample copy of the Contract:







Sample domains from the mule recruitment campaigns spamvertised over email:
googleapp-consult.com
googleapps-euro.com
worlds-trade.com
trades-consult.com
worlds-diploms.com


Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiherald32@yahoo.com
NS2.ELCACAREO.NET - 6.87.78.121

The same email (shanghaiherald32@yahoo.com) is also known to have also been used to register the following fraudulent/malicious domains:
badstylecorps.com
tvblips.net
viperlair.net


"The only green is money".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Share:

Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise


The Russian Business Network (RBN), is perhaps the most speculated, buzzed about, cybercrime enterprise in the World, a poster child for fraudulent activity 'streaming' from 'Mother Russia', in the eyes of respected/novice security/cybercrime researchers across the globe.

However, what a huge percentage of the researchers who're just catching up with its 'fraudulent performance metrics' over the years, don't realize, is how a newly emerged bulletproof hosting provider, managed to end up, as the World's most prolific source of fraudulent/malicious activity.

Hint: Basic business concepts like franchising, signalling the early stages of the modernization/professionalization of cybercrime, where being the benchmark has had a direct inspirational impact in the 'hearts and minds' of current and potential cybercriminals, then and now.

Case in point is Abdallah Internet Hizmetleri also known as AbdAllah (VN), an ex-RBN darling relying on the franchise business concept.

In this post, I'll discuss a sample contract/contractual agreement that every one of its customers had to sign before doing business with them, which in the broader context leads to a situation, where while the franchise is publicly advertising the bulletproof hosting services for trojans, exploits, warez, adult content, drop projects, botnets and spam, it's explicitly forbidding such activities -- with some visible exceptions -- in its contractual agreement.

What does this mean? It means that the Russian Business Network, the benchmark for the majority of ex/currently active bulletproof hosting providers, has been (legally) forwarding the responsibility for the fraudulent activity to its customers, in between reserving the right to act and deactivate their accounts if they ever violate the agreement/contract. The first thing that comes to my mind when it comes to the RBN 'reaction' in a socially oriented manner, are the infamous RBN Fake Account Suspended Notices, and that's just for starters, indicating a deteriorated understanding of malicious/fraudulent activity, with high profit margins in mind.

Let's go through the contract/agreement that every customer used to sign, before doing cybercrime-friendly business with them, both in original Russian, and automatically translated in English.

Sample AbdAllah (VN) Contractual Bulletproof Hosting Agreement/Contract in Russian:
1. ПРЕДМЕТ ДОГОВОРА

1.1. Заказчик поручает, а ИСПОЛНИТЕЛЬ берет на себя обязательства по размещению и/или регистрации виртуального сервера ЗАКАЗЧИКА в сети Интернет.

2. УСЛОВИЯ ВЫПОЛНЕНИЯ ДОГОВОРА

2.1. По заключению настоящего договора ИСПОЛНИТЕЛЬ производит первоначальную установку и настройку виртуального сервера и обеспечивает ЗАКАЗЧИКА необходимой информацией для администрирования виртуального сервера.

2.2. ИСПОЛНИТЕЛЬ обеспечивает доступ в сети Интернет к виртуальному серверу, а так же работоспособность всех доступных сервисов ЗАКАЗЧИКА круглосуточно в течение семи дней в неделю.

3. ЦЕНЫ И ПОРЯДОК ОПЛАТЫ

3.1. Стоимость и порядок оплаты работ по настоящему договору на момент его заключения определяется в соответствии с действующими условиями, распространяемыми сотрудниками по E-Mail и/или ICQ.

3.2. Оплата вносится ЗАКАЗЧИКОМ в счет оплаты услуги поддержки виртуального веб-сервера ИСПОЛНИТЕЛЕМ. ИСПОЛНИТЕЛЬ вправе приостановить предоставление услуг при отрицательном состоянии счета.

3.3. Все выделенные серверы предоставляются в состоянии UNMANAGED, т.е администраторы ИСПОЛНИТЕЛЯ могут, но не ОБЯЗАНЫ настраивать арендуемый сервер. За любую настройку сервера ЗАКАЗЧИКА, либо скриптов на нём - взымается плата в размере 50 USD/за 1 час работы администратора ИСПОЛНИТЕЛЯ по Вашему вопросу, минимум пол часа. Полное администрирование сервера специалистами ИСПОЛНИТЕЛЯ стоит 250 USD в месяц. Бесплатно осуществляется перезагрузка сервер (если нет автоматической формы для этого).

3.4. В случае не оплаты услуг ЗАКАЗЧИКОМ в последний день биллингового периода, данные ЗАКАЗЧИКА удаляются по наступлению новых суток без возвратно. В случае виртуального хостинга удаляется аккаунт и все бэкапы данного аккаунта, в случае аренды сервера (dedicated или vps) сервер снимается с обслуживания, форматируются жесткие диски.

4. ОТВЕТСТВЕННОСТЬ СТОРОН

4.1. ИСПОЛНИТЕЛЬ не несет ответственности перед ЗАКАЗЧИКОМ или третьими сторонами за любые задержки, прерывания, ущерб или потери, происходящие из-за:
(а) дефектов в любом электронном или механическом оборудовании, не принадлежащем ИСПОЛНИТЕЛЮ;
(б) проблем при передаче данных или соединении, произошедших не по вине ИСПОЛНИТЕЛЯ ;
(в) вследствие обстоятельств непреодолимой силы в общепринятом смысле, т.е. чрезвычайными силами и непредотвратимыми обстоятельствами, не подлежащими разумному контролю;
(г) давление властей.

4.2. При расторжении Договора по инициативе ЗАКАЗЧИКА, неиспользованная часть аванса ЗАКАЗЧИКУ не возвращается.

4.3. ИСПОЛНИТЕЛЬ оставляет за собой право приостановить обслуживание ЗАКАЗЧИКА или расторгнуть договор в безусловном порядке без возвращения средств заказчику в следующих случаях:

- размещение детской порнографии и зоофилии в любом виде;

- попытки взлома, несанкционированного проникновения на сервер, в аккаунты других клиентов, попытки порчи оборудования или программного обеспечения;

- попытки взлома правительственных организаций в любом виде;

- попытки спама любого рода с наших серверов виртуального хостинга, кроме как через соксы;

- попытки фишинга банков (кража денег);

- размещение информации по торговле оружием и наркотиками, торговля людьми или органами людей, вызывающие межнациональную и религиозную рознь, призывающую к войне и насилию;

- неоправданная перегрузка вычислительных мощностей сервера виртуального хостинга (допускается использовать не более 5% мощности процессора и не более 128Мб оперативной памяти сервера);

- попытки взлома с серверов (dedicated и виртуальный хостинг) - серверы, которые расположены рядом в стойке, либо клиентов этой же страны, где расположен сервер;

- оскорбление в любой форме сотрудников сервиса.


4.4. ИСПОЛНИТЕЛЬ не отвечает за содержание информации, размещаемой ЗАКАЗЧИКОМ.

4.5. ИСПОЛНИТЕЛЬ не будет нести ответственности за любые затраты или ущерб, прямо или косвенно возникшие в результате использования услуги вэб хостинга.

4.6. MoneyBack за выделенный сервер возможен только в том случае, если недоступность данного сервера происходит по вине ИСПОЛНИТЕЛЯ, ввиду того, что ИСПОЛНИТЕЛЬ оплачиваем полную стоимость сервера в Дата-Центр. Также возможна замена сервера.

4.7. Размещение сайтов ЗАКАЗЧИКА, рекламируемых SPAMом на серверах ИСПОЛНИТЕЛЯ (как виртаульного хостинга, так и dedicated) оплачивается отдельно из расчета объема писем. При объёмах от 5млн до 10млн =1000 USD - 1500 USD в месяц за сервер в Китае или ГонгКонге, либо 150 USD неделя или 500 USD в месяц за виртуальный хостинг, более 10-20 млн.  = 200 USD неделя либо 2000$ за выделенный сервер.

4.8. ИСПОЛНИТЕЛЬ обязуется делать ежедневные резервные копии аккаунта ЗАКАЗЧИКА на сторонний сервер (только виртуальный хостинг).

4.9. ИСПОЛНИТЕЛЬ обязуется решать самостоятельно все жалобы (абузы/abuse), не привлекая к этому ЗАКАЗЧИКА и без вмешательства в данные ЗАКАЗЧИКА. ИСПОЛНИТЕЛЬ не решает жалобы (абузы/abuse) от полиции, крупных правительственных организаций и VerSign.

4.10. ИСПОЛНИТЕЛЬ не дает никаких гарантий, что домен ЗАКАЗЧИКА не будет заблокирован по любым причинам, а особенно таким как любой вид SPAMа, fraud, phishing и т.п.

5. КОНФИДЕНЦИАЛЬНАЯ ИНФОРМАЦИЯ

5.1. Стороны обязуются без обоюдного согласия не передавать третьим лицам либо использовать иным способом, не предусмотренным условиями Договора, организационно-технологическую, коммерческую, финансовую и иную информацию, составляющую секрет для любой из сторон (далее - "конфиденциальная информация") при условии, что:

- такая информация имеет действительную или потенциальную коммерческую ценность в силу ее неизвестности третьим лицам;

- к такой информации нет свободного доступа на законном основании;

- обладатель такой информации принимает надлежащие меры к обеспечению ее конфиденциальности.

5.2. Стороны обязуются, без обоюдного согласия, не передавать третьим лицам сведения о содержании и условиях Договора.

5.3. ИСПОЛНИТЕЛЬ обязуется предотвращать запись логов на серверах виртуального хостинга и маршрутизирующем оборудовании.

5.4. Будьте внимательны, сотрудники ИСПОЛНИТЕЛЯ не запрашивают пароли от аккаунтов виртуального хостинга и выделенных серверов. Исключением является ситуация, когда ЗАКАЗЧИК просить произвести какие-либо работы на его Выделенном Сервере.



 
Automatically translated Russian Business Network (RBN) Contractual Agreement/Contract:
1. SUBJECT OF CONTRACT

1.1. Customer Requests, but ARTIST is committed to the placement and / or registration CUSTOMER virtual server on the Internet.

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY

2.1. At the conclusion of this treaty ARTIST produces initial setup and configuration of the virtual server and provides the necessary information for CUSTOMER virtual server administration.

2.2. ARTIST provides access to the Internet to the virtual server, as well as efficiency of all available services CUSTOMER day seven days a week.

3. PRICES AND ORDER OF PAYMENT

3.1. Cost and arrangements of works under this contract at the time of its conclusion is determined in accordance with existing conditions, the staff distributed by E-Mail and / or ICQ.

3.2. Payment is made ZAKAZCHIKOM as payment services support virtual web server ISPOLNITELEM. ARTIST right to suspend the provision of services at a negative status of the account.

3.3. All dedicated servers are provided in a position UNMANAGED ie ISPOLNITELYA administrators can, but not OBYAZANY tune rented server. For any server setup CUSTOMER or scripts on it - charge of $ 50 USD / for 1 hour administrator ISPOLNITELYA to your question, at least half an hour. The full server administration specialists ISPOLNITELYA worth USD 250 per month. Free done rebooting the server (if not automatic form for this).

3.4. If no payment ZAKAZCHIKOM bill on the last day of the period, the data are removed CUSTOMER new offensive on days without reciprocating. In the case of virtual hosting account and removed all of your backups, in case the rental server (dedicated or vps) server is removed from service, formatted hard drives.

4. RESPONSIBILITY OF PARTIES

4.1. ARTIST no responsibility to ZAKAZCHIKOM or third parties for any delays, interruptions, damage or losses that occur because of:
(a) defects in any electronic or mechanical equipment, not belonging ISPOLNITELYU;
(b) problems in the transfer of data or connection that occurred through no fault ISPOLNITELYA;
(c) due to force majeure circumstances, in the conventional sense, that is, nepredotvratimymi forces and emergency circumstances, not subject to reasonable control;
(g) pressure from the authorities.

4.2. At the dissolution of the Treaty on the initiative CUSTOMER, ZAKAZCHIKU unused portion of the advance is not refundable.

4.3. ARTIST reserves the right to suspend or terminate CUSTOMER service contract in order without the unconditional return of customer funds in the following cases:

-- Locating and zoofilii child pornography in any form;

-- attempted burglary, unauthorized entry to the server, in the accounts of other customers, trying to damage equipment or software;

-- attempted burglary governmental organizations in any form;

-- spam attempts of any kind from our servers hosting virtual except through SOCKS;

-- phishing attempts banks (stealing money);

-- posting on the arms trade and drug trafficking, or human organs, causing inter-ethnic and religious discord, calling for war and violence;

-- unjustified computing power overload virtual server hosting (which is allowed to use no more than 5% of CPU capacity, and no more than 128 MB of RAM server);

-- attempted burglary of servers (and dedicated virtual hosting) - servers, which are located next to the rack, a customer in the same country where the server;

-- insulting to any form of service personnel.


4.4. ARTIST is not responsible for the content of the information posted ZAKAZCHIKOM.

4.5. ARTIST shall not be liable for any costs or damages arising directly or indirectly from the use of Web hosting services.

4.6. MoneyBack for dedicated server is possible only in case the inaccessibility of the fault occurs on the server ISPOLNITELYA, because ARTIST pay for the full cost of a server in Data Center. Also possible replacement server.

4.7. Placing sites CUSTOMER advertised on servers ISPOLNITELYA SPAM (as virtaulnogo hosting, and dedicated) is charged separately at the rate of the volume of letters. With volume of 5 million to 10 million USD = 1000 - 1500 USD per month for the server in China or Gong Konge or 150 USD week, or 500 USD per month for a virtual hosting, a 10-20 million = 200 USD week, or $ 2000 for a dedicated server.

4.8. ARTIST undertakes to do daily backups CUSTOMER account for the third-party server (only virtual hosting).

4.9. ARTIST undertakes to decide all complaints (abuzy / abuse), are not engaging in the CUSTOMER and without interference in the CUSTOMER data. ARTIST does not solve complaints (abuzy / abuse) from the police, government organizations and major VerSign.

4.10. ARTIST gives no guarantees that the domain CUSTOMER not be blocked for any reason, but especially like any kind of SPAM, fraud, phishing, etc.

5. CONFIDENTIAL INFORMATION

5.1. The Parties undertake without the unanimous consent not to transfer to third parties or used in any other way other than prescribed conditions Treaty, organizational and technological, commercial, financial and other information, which is the secret to any of the parties (hereinafter - "confidential information"), provided that:

-- this information is actual or potential commercial value by virtue of its unknown third parties;

-- to such information no free access to the lawful;

-- holds such information shall take appropriate steps to ensure its confidentiality.

5.2. The Parties undertake, without unanimous consent, not to transfer to third parties about the content and conditions of the Treaty.

5.3. ARTIST undertakes to prevent logging on servers and virtual hosting routing equipment.

5.4. Be careful, do not require employees ISPOLNITELYA passwords from virtual hosting accounts and dedicated servers. The exception is when CUSTOMER request to any work for his Vydelennom Server.


Excluding the direct offering of managed servers for spam sending in the actual agreement/contract, and the fact that their abuse department is virtually non-existent, the contact explicitly prohibits related malicious/fraudulent activity. Naturally, that's not the case when AbdAllah (VN) used to advertise its bulletproof hosting service across cybercrime-friendly communities, "back in the day":


In 2013, despite the overall availability of RBN-like bulletproof hosting providers, cybercriminals continue experimenting with abusing legitimate infrastructure in an attempt to mitigate the risk of having their activities exposed. Various cases throughout the last couple of years include:
The "best" is yet to come.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Share:

Featured Security Image

Featured Security Image
The Heart of KOOBFACE. C&C and Social Network Propagation

Featured Cyber Intelligence Service

Featured Cyber Intelligence Service
DDanchev is for Hire!

Featured Cyber Intelligence Project

Featured Cyber Intelligence Project
Project Proposal - Cybercrime Research - Seeking Investment

Featured Threat Intelligence Project

Featured Threat Intelligence Project
Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Featured Threat Intelligence Consultancy

Featured Threat Intelligence Consultancy
Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Featured Hacking Project

Featured Hacking Project
Book Proposal - Seeking Sponsorship - Publisher Contact

Popular Posts

Featured Privacy Service

Featured Privacy Service
Pi-hole Privacy Blocking

Featured Video

Recent Posts

Featured Service

Featured Service
SurfWatch Threat Analyst

Featured Video

Featured Privacy Tool

Featured Privacy Tool
DNSCrypt

Featured Product

Featured Product
Sentinel Visualizer

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Featured Privacy Tool

Featured Privacy Tool
OnionShare