Friday, 23 December 2011

Tracking Cyber Crime: True Big Cash (FakeAV Affiliate)

Recently the advertising of BlackHole have changed, and lead to a carder community
Once again, we found Severa and... a fake AV affiliate.


Jabber ~
24 Nov:

29 Nov:

2 Dec: Affiliate open

Main:

Daily stats:

Stats by country:

Landing codes:

FakeAV download:

Create subaccount:

Profile edit:

Payements:

The FakeAV:



Another (beta?) panel was found for partners

Unknown database 'ppcaccess'

Multi Router Traffic Grapher:

Landing pages





A landing page on 94.61.247.181:

The following URL's was found:
http://rainbol.in/SolmgHQJM14sbPTQGOF/mQCNjwpSvk3c8GZ+E+TxjTXy/xwyTnsk4QDLkGPvpd8k9GIJbNH20U9q8yPNw6Qm/P/Or+CTtFRHbsWk7WmJjolY6SRcq7llIT7Kp+DA/fZvoi2LcGaH2EB4mu54stLdsGmrYJthSMB7DP54+xXlkRkg8+yxHt5K70psxFUbgiAIqwU7XwsFp3g=
http://rainbol.in/AypeoZlxCOwqq9XBLWk2F6j8AYgeIC382xUGOjTLCJAMJHLNG4KbY9OVLXJHmMvmeIBQ5njXRJM/FBitifrfiD1JbpEQ/Fo7Mbo8DICdajMgow==
http://rainbol.in/l.php?aff_id=284&u={5129F7AA-8EAF-F8FD-3532-B0D0287A637B}&log_id=12
http://rainbol.in/sw/284/1/{5129F7AA-8EAF-F8FD-3532-B0D0287A637B}/7df4b815-fd2a-4dff-8681-25e38c6bcd27/b.dat

Malware download (94.61.247.181):
menstro.in
rainbol.in
sealove.in
mikeller.in
intodub.in
aliento.in
abedaso.in
brostuk.co.in
poruble.co.in
peantos.in
neutone.in
pustell.co.in
egorest.co.in
mumvron.in
urdolast.in
boragore.in
nuowello.in
psesinda.in
rostets.in
12:17:26 - foreston.in
15:17:27 - astinkol.in
17:17:27 - piesdool.in
22:17:29 - krundse.in
01:17:37 - pelosko.in
10:18:41 - mendaly.in
12:18:47 - flyakke.in
16:19:01 - wsiteed.in
19:19:03 - irvengo.in
22:19:10 - ferdesa.in
08:45:14 - gototrop.co.in

FakeAV download
http://94.61.247.181/l.exe?rwmid=1&wmid=284
Posted by at 15:53
Labels: , , ,

2 comments:

Subscribe to: Post Comments (Atom)