The Latest in IT Security

Keeping Money Mule Recruiters on a Short Leash – Part Eight – Historical OSINT

25
May
2011


With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I’ll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they’ve purchased from a vendor of standardized mule recruitment templates.

Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW

developgroupinc.net – 69.50.199.209 – Email: [email protected]
develop-inc.com – 69.50.199.209 – Email: [email protected]
mercygroupnet.net – 69.50.198.218 – Email: [email protected]
mercy-inc.com – 69.50.198.221 – Email: [email protected]
solarisgroupinc.com – 69.50.199.209 – Email: [email protected]
solarisgroupnet.net – 69.50.198.197 – Email: [email protected]
jvc-inc.com – 69.50.198.210 – Email: [email protected]
jvcgroupnet.net – 69.50.198.221 – Email: [email protected]

Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc – 208.110.80.34 – Email: [email protected]
ns2.kalipso19.cc – 64.85.169.70
ns3.kalipso19.cc – 173.208.132.42

ns1.mamacholi.net – 208.110.80.35 – Email: [email protected]
ns2.mamacholi.net – 64.85.169.71
ns3.mamacholi.net – 173.208.132.43

ns1.rjevski.com – 208.110.80.34 – Email: [email protected]
ns2.rjevski.com – 64.85.169.70
ns3.rjevski.com – 173.208.132.42

ns1.runlesrun.cc – 208.110.80.37 – Email: [email protected]
ns2.runlesrun.cc – 64.85.169.73
ns3.runlesrun.cc – 173.208.132.45

ns1.skotinko.net – 208.110.80.38 – Email: [email protected]
ns2.skotinko.net – 64.85.169.74
ns3.skotinko.net – 173.208.132.46

ns1.solojumper.com – 208.110.80.36 – Email: [email protected]
ns2.solojumper.com – 64.85.169.72
ns3.solojumper.com – 173.208.132.44

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash – Part Seven
Keeping Money Mule Recruiters on a Short Leash – Part Six
Keeping Money Mule Recruiters on a Short Leash – Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash – Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash – Part Three
Money Mule Recruiters on Yahoo!’s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash – Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group’s Spamming Operations
Money Mule Recruiters use ASProx’s Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev’s blog.

Leave a reply


Categories

SUNDAY, SEPTEMBER 24, 2017

Featured

Archives

Latest Comments

Social Networks