Check Website
Inclusion Status
It is currently Thu Nov 15, 2018 8:26 am

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Hello
PostPosted: Fri Aug 05, 2011 1:28 pm 
Offline

Joined: Fri Aug 05, 2011 12:03 pm
Posts: 2
Hello everyone!

A few days ago, my hotmail account was hacked and used to send spam to those in my addressbook. I must admit that a 6-digit password with only the numbers 1,2 and 3 may not have been the strongest password :). Nevertheless, I decided to have a look at whoever was behind this.

After doing some digging, I found out that the spam email send out referred to (hacked) websites that redirected to malicuous websites hosted by the Elettrograf / Goldenideas network. As MysteryFCM, who seems to be the leading force on these forums given his share in the total number of posts, has written two very interesting articles on this topic, I decided to join the forum.

While I was doing my research, the size of operations kept on amazing me time after time. At the end, I found over 20.000 websites hosted on 70 different servers. Most of these servers are part of - what seems to be - a number of related personal networks. I found a total of 15 ASNs that seem related to each other in one way or another, with about 40 /24's on them.

Based on the fact that they are on adjacent ASN's, several clusters can be identified:
- AS56860 Elettrograf
- AS29568 Comtel
- AS44088 Dorine Hosting (Goldenideas is part of this)
- AS43215 Monyson Group
- AS49130 Arnetwork

From the perspective of spammers it is clear that their activities on different clusters are closely related. To start with, the spam messages send from my own hotmail account redirected to similar looking websites run on servers that were on different clusters. I had a look on some of their websites, and it seems that a different version of basically the same website is run on different servers randomly distributed accross the clusters. In addition to that, looking at old databases listing the same scam websites, it seems that many websites have been moved to servers on other servers and clusters (I wrote a sript to resolve them all).

What is however interesting, is that the different clusters seem also very related physically. There are several facts that point in that direction.

- One interesting thing is that the ip ranges that are used are mostly in the 94.63.0.0, 95.64.0.0 or 188.229 range. I wonder whether it is possible to check whether these blocks have been originally bought as one batch (and if so by who)...
- Over time, several ip-ranges have been moved from an ASN in one cluster to an ASN in another. This again indicates that all clusters may have the same owner.
- They're all in Romania

I have come accross another peculiarity. When I would google for the companies related to the 5 clusters above, and then look at the relations they state on their websites and the information on where their websites were hosted, I often came accross ASN AS5606. Even though this may be coinsidental (this ASN has many connections), the whois of Dorine hosting and Monyson refer to Claus.ro. The websites of all three are runned from inside AS5606. Claus.ro's website states it's part of GTS Telecom Romania. AS5606 is owned by GTS Romania. arnetwork.com.ro is also hosted from AS5606. A /24 hosted over 1000 sites at iTelecom's AS50244 is seemingly unrelated to the rest of the network. AS5606 is it's upstream, however, and iTelecom seems to be owned by GTS Romania. So even though GTS Romania and AS5606 are never directly related, they keep on showing up...

I have made a start with a schematical representation of the structure of the clusters (see attachments). Black lines represent adjacent ASN's, gray dotted lines connections due to migrated /24's, and red dotted lines possible associations related to AS5606.

It'll be very interesting to see whether it's possible to find out who's the actual owner of this operation. Somebody must pay the bills to the hosters...

I hope together we can dig deeper and see whether we can find more information as this is all just too interesting to leave it.

Kind regards, Pieter


Attachments:
File comment: Scheme showing ASN relations
ASN-Scheme.jpg
ASN-Scheme.jpg [ 111.33 KiB | Viewed 2207 times ]

IP:
top
Top
 Profile  
Reply with quote  
 Post subject: Re: Hello
PostPosted: Fri Aug 05, 2011 5:44 pm 
Offline
Site Admin

Joined: Thu May 28, 2009 10:25 am
Posts: 6016
Welcome to the forums Pieter.

Incidentally, I'm actually in the midst of an investigation into the relationship between Romanian and Russian/Ukranian crime gangs, as there's a very close correlation suggesting they're actually one and the same (i.e. the ASs/servers in Romania are actually owned by or leased by, the gangs in Russia/Ukraine).

Can you drop me an e-mail with the sites/IPs you've identified please?

_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!



IP:
top
Top
 Profile  
Reply with quote  
 Post subject: Re: Hello
PostPosted: Fri Aug 05, 2011 7:55 pm 
Offline

Joined: Fri Aug 05, 2011 12:03 pm
Posts: 2
MysteryFCM wrote:
Welcome to the forums Pieter.

Incidentally, I'm actually in the midst of an investigation into the relationship between Romanian and Russian/Ukranian crime gangs, as there's a very close correlation suggesting they're actually one and the same (i.e. the ASs/servers in Romania are actually owned by or leased by, the gangs in Russia/Ukraine).

Can you drop me an e-mail with the sites/IPs you've identified please?


Good to hear that you're still working on this. I find it surprising that they manage to keep this business running without getting shut down by the authorities. Romania is in the EU nowadays...

I'm happy to send the list, but pm is not enabled on my account and I can't find your email address.



IP:
top
Top
 Profile  
Reply with quote  
 Post subject: Re: Hello
PostPosted: Sat Aug 06, 2011 3:02 pm 
Offline
Site Admin

Joined: Thu May 28, 2009 10:25 am
Posts: 6016
Sorry Pieter, I'll move you out of the newly registered users group (default group for those that have just registered).

My e-mail address is;

services@it-mate.co.uk

_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!



IP:
top
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
hpHosts and hpHosts Online are copyright © Malwarebytes Corp - All Rights Reserved

Powered by phpBB © 2000-2009 phpBB Group