Monday, April 29, 2013

Spam Part II - The Different Actors




In part I, we went over a few things regarding the landing page and the way the requests flow between the different sites. Let's have a look at the various sites, the IPs and the countries involved.










Name IP Country
----------------------------------------------------------------
ruraltrauma.com 74.208.58.41 US

goodwaystoloseweightsolution.com 176.9.208.109 DE
94.185.80.109 SE
188.165.237.195 FR
46.4.172.234 DE
94.102.52.2 NL
46.4.172.228 DE
201.182.92.85 UY
94.102.55.160 NL
201.182.92.109 UY
5.149.252.21 CA
213.152.160.81 NL
176.9.208.111 DE
78.47.26.67 DE
199.91.174.75 US
199.91.174.74 US
199.91.174.71 US
188.165.237.197 FR
94.185.80.110 SE
201.182.92.110 UY
176.9.208.108 DE
5.149.252.20 CA
176.9.208.125 DE
201.182.92.86 UY
199.91.174.72 US
78.47.26.68 DE
176.9.208.126 DE

traffictrackingsys.com 78.46.196.20 DE

www.clclckck.com 107.23.215.168 US 
(Alias for wehasoffer-elb.go2cloud.org)

wehasoffers.go2cloud.org 50.18.211.52 US

processingordersonline.com 67.215.173.14 US

authenticgarciniacambogia.net 50.28.6.107 US

affiliate.cpavhits.com 67.215.170.92 US

www.mediahub.bz 192.41.78.41 US

offer.my-secure-page.com 199.189.84.137 US



The majority of servers are hosted in the US and Germany. We can breakdown the hosting companies for these two countries.

/>

The situation for Germany is interesting, due to the only 2 providers involved. Furthermore the upstream provider for "TT Internationl d.o.o." is ... "Hetzner." It seems highly unlikely that a single hoster/provider  is unlucky enough to be the only one to serve the spam. A quick search on Google reports that several of their servers are known to distribute malware. SpamHaus goes even further and write down the two "TT International d.o.o.o" networks seen as dirty.

Given the number of hosts returned for "goodwaystoloseweightsolution.com", it could be a number of compromised servers, possibly members of a botnet. Another interesting point of view is who registered what name.
The last 3 are US based registrars. The first one is Ukrainian based.

The "www.clclckck.com" is load-balanced across various servers on the Amazon EC cloud. The name is resolved with a TTL of 60 seconds between: 107.23.215.129, 54.246.179.176, 50.18.211.52, 107.21.29.227 or 50.241.149.139 are some of the IPs returned.

Conclusion ...

After discussing with my friend, she told me her account was hacked into and she had to change her password. The account was used to send an e-mail to all her contacts.

The front-end URL was most likely hacked into and a script is present that redirects only browsers based on the user agent. That way, if a search engine hits the page, it doesn't notice the redirection and ultimately the spam content.

The number of machines suggests this is not an amateur campaign, but rather an organization is behind it, and that the system can be extended to accommodate for further "products". The Amazon EC is leveraged to provide core redirection, which can ensure persistence should some parts of the chain be cleaned or turned off.

Lastly, it also seems that some of the servers are from less-than-reputable hosting companies known to harbor malware and criminal activities, reinforcing the idea that a criminal organization is behind it.