Archive for the ‘Underground Economy’ Category

Hackers Sell Twitter Accounts for Up to USD1,000 | HostExploit News

March 8, 2010

Hackers Sell Twitter Accounts for Up to USD1,000 | HostExploit News: “”

(Via .)

FaaS: The Emergence of Fraud as a Service

February 9, 2010

FaaS: The Emergence of Fraud as a Service: “FaaS: The Emergence of Fraud as a Service”

(Via Information Security Resources.)

Shadowserver Foundation Blog: DDoS for Hire – More cooperation, or new competition?

January 9, 2010

Shadowserver Foundation – Calendar – 2010-01-09

Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?

I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘” & “” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as, is, however I haven’t yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information

* – AS50033 – GROUP3-AS GROUP 3 LLC.
* – AS15756 -CARAVAN
* – ??


* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet

Registrar:Directi Internet Solutions

* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet
* – AS36351 – SoftLayer
* – AS36351 – SoftLayer
* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected

* 8/22/09
* 8/29/09
* 9/5/09
* 9/6/09
* 9/7/09
* 9/11/09

* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich


While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus

(Via DDoS for Hire – More cooperation, or new competition?.)

‘Bulletproof’ safe havens are all the rage for Internet pirates

January 7, 2010

‘Bulletproof’ safe havens are all the rage for Internet pirates: ”

Filed under: Internet, P2P
‘Bulletproof’ safe havens are all the rage for Internet pirates
by Sebastian Anthony (RSS feed) Jan 6th 2010 at 12:02PM

Have you ever put much thought into Internet piracy?

‘Ooh, cool, tons of free stuff!’ — no, I mean, really thought about it.

In almost every Western nation software and music piracy is theft. In the eyes of the law it’s wrong. There’s simply nothing more to it: it’s intellectual property that you’re stealing from the property’s owner. As mere users, just single faces in a crowd of millions, we’re relatively safe. It’s like stealing an apple from a busy market stall: it’s not particularly hard, it’s not very damaging — and at the end of the day, it’s hard to catch a single thief in a crowd of millions.

Organized crime, on the other hand, is serious business. You can “

(Via .)

Virus Scanners for Virus Authors

January 5, 2010

Virus Scanners for Virus Authors: “

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like and, which bank on the guarantee that they won’t share your results with the anti-virus community.

For $1 per file scanned (or a $40 monthly membership) will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec, and Trend Micro. ‘Each of them is setten [sic] up on max heuristic check level,’ av-check promises. ‘We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also , we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.’ In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.

Virtest checks malware suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: ‘Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,’ the site pledges. ‘On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.’

The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of is the ability for malware authors to test ‘exploit packs,’ pre-packaged kits that — when stitched into a malicious or hacked Web site — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan Web pages for malicious content, and this service’s ‘exploits pack check’ will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely-used anti-virus software.

But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.

(Via Krebs on Security.)

The botnet ecosystem

December 22, 2009

The botnet ecosystem: “With the appearance of botnets, criminal gangs have gained access to millions of infected computers and the number of cybercrimes committed has risen sharply. Although the majority of Internet users understand that zombie networks pose a serious threat, many do not know how or why botnets are created and maintained.”

(Via Latest Analysis for All Threats.)

Hacker Arrested For Stealing Virtual Assets In Online Game

December 2, 2009

Hacker Arrested For Stealing Virtual Assets In Online Game: “Man arrested for hacking into other gamers’ online accounts”

(Via DarkReading – All Stories.)

Russian ransomware blocks net access

December 2, 2009

Russian ransomware blocks net access: “Russian ransomware blocks net access”

(Via The Register – Security.)

Pricing Scheme for a DDoS Extortion Attack

November 3, 2009

Pricing Scheme for a DDoS Extortion Attack: “

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the ‘on demand DDoS’ business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise ‘vertically integrating‘ in order to occupy as many underground market segments as possible, all of which originally developed thanks to the ‘malicious economies of scale’ (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let’s discuss one of those groups that’s been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they’ve actually paid the 10,000 rubles monthly extortion fee at the first place – this gang is also including links to the web sites of Russian’s Federal Security Service (FSB) and Russia’s Ministry of the Interior stating ‘in order to make it easy for the victims to contact law enforcement‘.

Sample DDOS extortion letter:
Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment – no later than DATE’

You will also receive several bonuses.
1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts:,

It’s also worth pointing out that a huge number of ’boutique vendors’ of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of ‘aggregate-and-forget’ type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed – for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against
A Botnet Master’s To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks
The DDoS Attack Against
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev’s blog.

(Via Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge.) – The Cash Factory

October 16, 2009 – The Cash Factory: ”
Subscriptions | RSS Feeds | Discussions | Polls | Site Map

All Threats
Whole site    Viruses
Virus Encyclopedia


<< 2009  
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Most Popular Analysis

Monthly Malware Statistics: September 2009

The Cash Factory

Online games and fraud: using games as bait

Keyloggers: How they work and how to detect them (Part 1)

Traps on the Internet
For Potential Authors

Want to become one of our authors and see your work published on Contact us!


  Home / Analysis
The Cash Factory

Oct 09 2009   |   comment

Sergey Golovanov
Igor Soumenkov
The websites
The exploits
The bot
Password stealing Trojans
Downloading other malicious programs
The plan of attack
One more thing…
This article is a study of one spam email and illustrates the methods employed by today’s cyber criminals to create botnets and conduct mass spam "

(Via .)