Botnet, Security, Uncategorised

EZTrader.com and the email scam botnet – part 2

After being quiet for some time, the botnet appears to have been started up yet again, on a friday, keeping up with the schedule. Why is it that it seems to spike on fridays? What a horrible way to end the week.

Anyways, this time round the end-point site has changed, the HTML redirect on the hacked servers is now:

Some examples of email headers from the spoofed mail are as follows (some data is hidden):

As you can see the main culprit is still WIN-NPPN1JPV75J and also now sometimes WORLDST-UQ3K9Q0 and it is still to this very day spoofing and sending out thousands of spam mail per day.

Lets get schwifty

You know what? I have had it with this, it is illegal and unmoral and the people behind this will go down for it and I will make sure of that. My clients are constantly complaining about it and it is getting on my nerves.

Lets start with the website you get redirected too “avazunic.com” some details for that domain are:

IP address 185.22.173.161
Host name
IP range 185.22.172.0 – 185.22.175.255 CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

Unfortunately I was unable to get the source code for this website, whenever I tried to grab it I revived a HTTP error. The website must be some proxy for the redirection stage. I will try and gather more information about this domain but for now, lets focus on the site it is redirecting too.

UPDATE 02/11/15

The hacked sites now redirect you too “http://clicksdealer.com/?PID=1&file_id=4b8fa8f7&offer_id=72724bb93&offerID=635&app=4fa068&sub=4b7f4916&dir=cece7” as of this date. They must be  getting taken down so they need to keep switching urls.

And to my surprise, its a Russian based url with exactly the same IP as before:

IP address 185.22.173.161
Host name
IP range 185.22.172.0 – 185.22.175.255 CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

This redirect service takes you to the hook, the part that is supposed to draw your attention to the site and make you want to find out more.
It is designed like any other news portal, although I feel like I need to douse my eyes with bleach after looking at this one.

business24pro.net

 

As you can see from the image, it is a dreadful website. I cannot believe that people actually fall for this, but it happens, and I want to prevent it from happening as it is not fair IMO.

If you examine the source (https://pastebin.com/8YrYMXKp) you can see all hyperlinks redirect to the same bloody page:

http://business24pro.net/go.php?s=2260900354&o=1

Which is yet another redirect… fun times…

This redirect takes you to a page where it asks for information to sign up to a broker or “money making scheme”:

They are using a service called: http://www.searchingprofits.me/ or as the botnet uses:

http://searchprofits.me/index.php/user/register?aff_id=cfd841fd&st=GB&S=GB-42260921108&AffiliateID=4804&SubAffiliateID=0j6jqns12

Im not entirely certain what the difference is between searchingprofits.me and searchprofits.me except one is protected via cloudflare and the other is not.

After you fill out this form (its badly coded so, you don’t need to try hard) it takes you to the final stage of the scam. The trader.

This is what is funding the crime, this is what influences the criminals to do what they do. They get commission for every affiliated registration they get.

EZTrader.com, the bad guy

screencapture-www-eztrader-com-1446478704287

No matter how legit sites seem, you can never be 100% certain they are trustworthy.

As you can see from this screenshot, it looks very legit and trustworthy, but this is what they want you to think.  It is all apart of the same scam.

With a few google searches I can already see the fail of this operation. In November 2014 they had their license revoked by the CySEC.

https://leaprate.com/2014/11/cysec-suspends-cif-license-of-binary-options-broker-eztrader-com/

Because:

  1. Safeguarding of clients’ funds,
  2. Own Funds, regarding the capital adequacy of investment firms. and
  3. Large exposures.

Only to have it handed back to them in December the same year:

https://leaprate.com/2014/12/cysec-withdraws-suspension-of-binary-options-broker-eztrader-com/

They have the worst reviews I have ever seen, looking on trustpilot I can see a few that paint a pretty good picture of how this company operates:

You can view the reviews on trustpilot here:

https://uk.trustpilot.com/review/eztrader.com

Some more reviews:

http://www.sitejabber.com/reviews/www.eztrader.com

So that brings us to the end, or the beginning of a shitstorm for this company, however. I will begin reporting EVERYTHING and giving all evidence to the appropriate authorities and I will get this shut down for good.

Here is a small fraction of hacked servers from wave 2:

And here is a small fraction of hacked routers or computers that are sending out spam emails:

 

 

http://www.onlinethreatalerts.com/article/2015/7/28/scam-single-mom-from-london-makes-a-staggering-7-650month-from-finances24-news-com/ (A link regarding the fake news portals)

https://www.scamwarners.com/forum/viewtopic.php?f=34&p=211971 (Threads regarding Wuxi Yilian LLC the spammer and scammer)