With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I’ll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they’ve purchased from a vendor of standardized mule recruitment templates.
Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW
developgroupinc.net – 69.50.199.209 – Email: slows@5mx.ru
develop-inc.com – 69.50.199.209 – Email: etude@qx8.ru
mercygroupnet.net – 69.50.198.218 – Email: bowie@bigmailbox.ru
mercy-inc.com – 69.50.198.221 – Email: spout@freenetbox.ru
solarisgroupinc.com – 69.50.199.209 – Email: slows@5mx.ru
solarisgroupnet.net – 69.50.198.197 – Email: sharp@maillife.ru
jvc-inc.com – 69.50.198.210 – Email: etude@qx8.ru
jvcgroupnet.net – 69.50.198.221 – Email: spout@freenetbox.ru
Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc – 208.110.80.34 – Email: tarts@freenetbox.ru
ns2.kalipso19.cc – 64.85.169.70
ns3.kalipso19.cc – 173.208.132.42
ns1.mamacholi.net – 208.110.80.35 – Email: excess@bigmailbox.ru
ns2.mamacholi.net – 64.85.169.71
ns3.mamacholi.net – 173.208.132.43
ns1.rjevski.com – 208.110.80.34 – Email: low@bigmailbox.ru
ns2.rjevski.com – 64.85.169.70
ns3.rjevski.com – 173.208.132.42
ns1.runlesrun.cc – 208.110.80.37 – Email: frost@bigmailbox.ru
ns2.runlesrun.cc – 64.85.169.73
ns3.runlesrun.cc – 173.208.132.45
ns1.skotinko.net – 208.110.80.38 – Email: info@dnregistrar.ru
ns2.skotinko.net – 64.85.169.74
ns3.skotinko.net – 173.208.132.46
ns1.solojumper.com – 208.110.80.36 – Email: crime@bigmailbox.ru
ns2.solojumper.com – 64.85.169.72
ns3.solojumper.com – 173.208.132.44
Monitoring of money mule recruitment campaigns is ongoing.
Related posts:
Keeping Money Mule Recruiters on a Short Leash – Part Seven
Keeping Money Mule Recruiters on a Short Leash – Part Six
Keeping Money Mule Recruiters on a Short Leash – Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash – Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash – Part Three
Money Mule Recruiters on Yahoo!’s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash – Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group’s Spamming Operations
Money Mule Recruiters use ASProx’s Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
This post has been reproduced from Dancho Danchev’s blog.
Leave a reply
