Malware toolkits are designed to steal information, such as bank account data, and provide cyber criminals with vast quantities of stolen credentials. Every day, credit card numbers stolen by malware such as Zeus and SpyEye are bought and sold in the underground economy. This has given rise to the recruitment of “pack mules.”
When using stolen credit card numbers to make purchases online, criminals do not provide their own identity or location information. Instead, criminals post advertisements on job search Web sites in order to lure “pack mules” to act as intermediaries in their criminal operations. These intermediaries receive merchandise on the criminal’s behalf and re-ship it to a location under the control of the criminals. This operation is known as “re-shipping fraud” and is similar to the ways in which some criminals recruit “money mules” to open bank accounts for transferring stolen funds.
Re-shipping is tightly intertwined with malware activity. This is demonstrated by the fact that the Web sites used to recruit pack mules are hosted on the same servers that host the command-and-control servers of Zeus botnets. I have been exploring (see Clustering Zeus Command and Control Servers Part 1 and Part 2) clusters of Zeus activity in an attempt to better understand the connections among the criminals behind different functions within the botnet ecosystem. I have found that although Zeus is a popular malware toolkit that any aspiring criminal can use to setup a botnet capable of stealing credit card and banking information, there is a cluster of malicious Zeus servers which indicate that there is a “core” of Zeus operations.
In this blog post, I analyze the pack mule recruiting Web site, “Sullivan and Myers,” (sullivanmyers.com) and explore its links with Zeus botnets and the broader malware underground. This investigation indicates that these concentrations of malicious activities go beyond operating command-and-control servers and extracting banking information to other aspects of the criminal enterprise. This includes exploitation (through “exploit packs“) and the recruiting of pack and money mules.
Pack Mule Recruitment
In order to recruit pack mules, criminals setup Web sites that purport to belong to a legitimate shipping and receiving business, and post advertisements that link to the “business” on job search Web sites and forums. This can be seen in the case of Sullivan and Myers, a fake business created for the purpose of recruiting pack mules.
Sullivan and Myer’s job posting invites interested applicants to complete an online application form and submit a resume to email@example.com. Sullivan and Myer’s contact information (address, phone, and fax number) is also supplied. The application form, contact information, and the company’s Web site appear to have been designed to create a sense of legitimacy. Although there are some indicators that suggest the company may be fake, such as awkward language and occasional errors (using “Myers & Sullivan” instead of “Sullivan and Myers”), the overall presentation is passable. To some applicants, the company may appear to be legitimate.
After submitting a resume, applicants are given additional information about the position. The applicants are informed that they will be receiving packages which they are to re-package and send to the company’s “consumers.” The applicants are told that they can earn up to USD3000 per month.
Human Resource firstname.lastname@example.org
Your documents has been verified and checked; you seem to be a suitable
candidate for Junior Packing Specialists’ position and we are glad, that you are
interested in this opening.
Following, you’ll find information about Sullivan & Myers and additional details
about Junior Packing Specialist position.
Sullivan & Myers (NASDAQ: SUM) is a well known printing and typography company
that offers wide variety of printing, publishing and general advertising
services. Company is based in US with headquarters in GA, Atlanta. If you want
to find out more about Sullivan & Myers, please visit our web site
This is a part-time job with a flexible schedule. Work time is not
limited, but to be successful you need to devote at least 10hrs per week to it,
though those who work up to 20hr/week have best results in the company.
This is a part-time job and it can be rendered at home, thus all but few
communications will be handled online, because of this job requirements include
acceptable level of computer literacy and Internet access. There is no entrance
or any other hidden fee. The company covers all the fees related to this
Junior packing specialist’s job is quite simple, currently Sullivan & Myers
provide a complex package of services for a network of a well-known consumer’s
electronics company, you will be receiving scheduled packages from them. The
parcels mostly consist of electronics and consumer goods with no oversized
deliveries. You shall receive a specialized packing paper from Sullivan & Myers
or its affiliates, part of it will be a decal paper, picturing different
advertisements from our client’s partner, some might only be protective wrapping
to provide additional security to fragile goods. Junior Packing specialist’s job
is simple, you need to repack each package & parcel and make sure that
consistence of package is fully operational or/and lacking visual defects and
forward it to consumers via USPS or FED EX. You might receive up to 10 packages
per week (during your trial period) thus as we already mentioned we require at
least 10hrs to be dedicated to this job.
To the successful applicants we offer a position on a trial period (30
business days, from the first actual assignment). This is the period when you
will be trained and shall receive 24/7 online and phone support, while earning
money. The evaluation of employees on a trial period is usually at least one
week before the end of their trial period. During the trial period, the
supervisor can recommend termination. At the end of the trial period, supervisor
makes his decision.
The trial period is paid $1390 USD per month. For every successful mail/parcel
forwarded you will receive $35, also you shall receive an additional bonus of
$15 per parcel that you send at the day of delivery, for example, if you have
received a parcel at 01.05.2010 and forwarded it at the same day, you shall
receive not $35 but $50 commission. Your total income, with the current volume
of clients, will be added up to $3000 USD per month. Your base salary, after
trial period, will go up to $1900 per month, plus $45 per parcel you forward.
You may ask for additional hours after trial period, or proceed full-time.
If you are interested in this job, please reply to this e-mail and our HR
managers will send you all required paperwork.
Next, applicants are sent a contract and are then instructed to send copies of identification and proof of residency for a background check to minimize fraud. This is an important step because if, at a later point, the applicant determines that the company is not legitimate and wants to quit, the criminals behind this operation could attempt identity theft or otherwise compromise the individual.
Human Resource email@example.com:
In this e-mail, you will find attached legal document specifically a labor
contract for Junior Packing Specialist position in Sullivan & Myers.
Make sure you read it carefully, familiarize yourself with all aspects of
the agreement and in case if you agree with the terms do the following:
1. Print out two (2) copies of the labor contract.
2. Sign both parts, you must sign it on the bottom of EVERY page,
plus at the end of the document.
3. Forward one part to Sullivan & Myers HR department at
firstname.lastname@example.org or fax it to 1-(678)-866-2530
4. Keep one signed copy for yourself.
The contract becomes valid from the moment of the reception of the
correctly filled copy of the contract. It should be noted that the validity
of the contract in the electronic form is identical to the contract signed
in personal presence of both parties.
In order to minimize fraudulent activities we have implemented strong
security policy, we are running mandatory background checks for every
successful candidate. Background check includes but is not limited to,
criminal, financial or personal records that are available publicly. In VERY
rare cases, Sullivan & Myers may enforce PI. As a part of our security
policy we ask you to make an electronic copy of your ID, driving license or
any other legal document that may verify your identity (any utility bill
will do, if your domicile is mentioned there) and send it attached with the
same e-mail or fax it to 1-(678)-866-2530.
You will receive additional information when your forwarded contract will
be examined and verified by our attorneys.
*NOTE: Requires manual signature.
After receiving the signed contract, the criminals confirm the mailing address of the new “employee.” At this point, the new employee will begin receiving packages of goods bought with stolen credit card information and forwarding these goods to the criminals behind the operation. When law enforcement tracks down the operation, they will be led to the address of the pack mule rather than the masterminds behind the operation.
The Malware Connection
Locating Sullivan and Myers within the malware ecosystem exposes the criminal connections of those behind the re-shipping fraud operation. The Web site sullivanmyers.com is registered to the e-mail address email@example.com and resolves to the IP address 220.127.116.11. Migray71@yahoo.com is linked to significant malicious activity.
The hosting history of sullivanmyers.com firmly places the domain within concentrations of malicious activity. Currently, the Web site is hosted on a server with the IP address 18.104.22.168. This server also hosts azkinternational.com (firstname.lastname@example.org), fotosharedownloads.com (email@example.com) and fotoshare-dknc.com. Fotosharedownloads.com and fotoshare-dknc.com are Web sites that host malware, and azkinternational.com appears to be another pack mule recruiting Web site.
Sullivanmyers.com has been hosted on a number of servers that have hosted significant amounts of malicious activity in the last year. Currently, these servers are hosting domain names registered to known malicious e-mail addresses.
- binmop.com – firstname.lastname@example.org
- glazsystem.net – email@example.com
- nonameal.com – firstname.lastname@example.org
- unknownplaces.net – email@example.com
- antiviruslab.info – firstname.lastname@example.org
- bransac.com – email@example.com
- myweb-analytics.net – firstname.lastname@example.org
- organte.com – email@example.com
- trackingcounter.net – firstname.lastname@example.org
- baidum.net – email@example.com
- hpnet.in – firstname.lastname@example.org
- kiaz.org – email@example.com
- kingolat.com – firstname.lastname@example.org
- mainspain.info – email@example.com
- maturesdf.com – MillieDiaz4@aol.com
- southdomens.com – firstname.lastname@example.org
- tarstall.ru – email@example.com
- topmilkyway.net – firstname.lastname@example.org
- truetry.org – email@example.com
- vuvuzelya.net – firstname.lastname@example.org
The domain names listed above resolve to IP addresses of servers that were previously used to host sullivanmyers.com. While some of the domain names have already been linked to malicious activity, some have not. However, they are associated with e-mail addresses that have been used to register malicious domain names in the past.
Using data from MalwareDomainList and ZeusTracker, we can see the extent to which domain names registered by email@example.com are engaged in malicious behavior and linked through co-hosting to other malicious domain names. These malicious domain names have been active throughout 2010 and have been used to host exploit packs, such as Pheonix and Eleonore; downloaders, such as Oficla/Sasfis, Fake Antivirus, the RussKill DDoS tool and multiple versions of the Zeus Trojan; and associated drop zones and command-and-control servers. This e-mail address was also used to register sosanni.com, a command-and-control server for the Ambler botnet.
The most interesting connection within this cluster links the activity of domain names registered with firstname.lastname@example.org to the Ambler botnet and to a cluster of malicious Zeus activity. The domain name sosanni.com (email@example.com – 22.214.171.124) was an Ambler command-and-control server that was operated by the same set of actors that administered a cluster of Zeus command-and-control servers registered with a variety of well- known e-mail addresses, including firstname.lastname@example.org, email@example.com, and MillieDiaz4@aol.com.
The firstname.lastname@example.org e-mail address was made infamous after Netwitness revealed the existence of a Zeus-based botnet associated with that email address that had compromised over 74,000 computers around the world. An association with the Kneber botnet indicates that those behind the operation have no shortage of stolen credit card numbers that could be used to make purchases that are re-shipped through the pack mule operation. Moreover, this cluster was found to be not only operating a Zeus botnet, but a SpyEye and the Ambler botnet as well. This indicates that the criminals are diversifying their operations using multiple forms of malware that are designed to steal credit card numbers, bank account information, and other credentials.
However, there are some limitations to this analysis. Just because domain names are hosted on the same server, it does not mean that there is necessarily a direct connection between them. There are a variety of “bullet proof” Web hosting companies that provide stable hosting to a wide variety of malicious activity. Online criminal prefer these services because the “bullet proof” hosts ensure that malicious Web sites remain online despite efforts of the security community to take them down.
Domain names registered with the same e-mail address provides a stronger link because this indicates that the domain names are under the control of one entity. However, domain names registered to the same e-mail address may not be directly linked. There are a variety of services available within the malware underground that include domain registration. For example, the domain name southdomens.com (email@example.com) is hosted on a server that sullivanmyers.com was formerly hosted on. The server is also associated with a service that provides domain name registration. If domain registration services register domain names for multiple clients with the same e-mail address, it provides a weak (rather than strong) link between malicious activity clustered around domain names registered with the same e-mail address. Domain names registered with the same e-mail address may be distributed by the supplier to an array of disparate criminals. So, rather than indicating a strong connection between the malicious actors using the domain names, it simply shows that disparate malicious actors sought the services of the same domain name provider.
Keeping these limitations in mind, I believe that while there are specialized roles within the malware ecosystem, there appears to be a significant portion that is quite centralized. In this case, domain names registered with the same e-mail addresses not only inhabit servers full of malicious activity, but are also associated with “pack mule” recruitment, exploit packs, and Zeus and Ambler command-and-control servers. While the exact nature of the connections between them are unclear, these concentrations indicate that a discrete set of criminals are behind an operation that goes full circle—from exploiting victims, to harvesting credentials to acquire goods which are relayed through a network of pack mules back to the criminals.