Here are a couple of interesting sites:
(There are also some variants on the "TJL" initials — mixing their order — but these all resolve to the tjlrecruitment.org site. No variants for the knlrecruitment.org domain have shown up, but we'll keep our eyes open.)
Besides looking identical, there are more similarities:
- Both live on the same server, currently at 126.96.36.199, which is an IP address in Russia.
- Although both claim to have been in business since 2001, and have copyrights for 2011, the domains are actually very young: one was registered about a month ago, the other is a bit over a week old.
- A lot of the URL path and page names are identical.
(As we sometimes say in America, "Beauty is only skin deep, but ugly goes all the way to the bone.")
Unfortunately, there isn't a lot of context to decide what they're up to, but my guess is that they're set up to recruit "money mules" (people who think they're working for a legitimate business, but are simply being used by a criminal gang to facilitate money transfers from compromised bank accounts).
Money mules are normally recruited via spam, and none of the traffic in the WebPulse logs to these domains shows a referring site, which is consistent with clicks within an e-mail client.
And although money mule sites are not malicious (at least, normally), of course we'll continue tracking and blocking this network.
Leave a reply