Attackers/Fraudsters Never Retires, They Just Evolves — Uncovering a Scheduled Russian SCAM
In the world of Digital Fraud, Scammers are quite popular group who promises to sell various services/items by showcasing themselves as legitimate parties by to the Netizens through various means such as Hoax Comments, Inflating Vendor Past Dealings, Fake Star Ratings etc.
There are different type of scammers out there, the ones who targets usual e-commerce customers where maximum profits are reaped. And another type of scammers are targeting the people who relies on purchase of offensive services from Deep Web or Dark Web Marketplaces.
Here, we are discussing about such a Scammer, who offers service to Dark Web Users disguising by selling a program called XMPP SPAMMER — which is used to flood the target’s XMPP messenger by continuous bogus messages. Just similar to Email Bomber, where a user gets flooded with fraudulent emails.
This is an effective approach adopted by attackers (In Targeted Attack), to distract the user’s focus so that the malicious activity gets continued and attackers can clear their track in the mean time.
Now, you may think what’s the significance of this?
In Dark/Deep Web forums, any offensive services are sold directly over XMPP (Extensible Messaging & Presence Protocol) Messenger such as Jabber by keeping an eye on the privacy angle, as most of the Dark Web Sellers are careful when it comes to the Operational Security(OPSEC). And moreover, such IM services are encrypted (N.A for file attachment) and follows an OTR (Off-the-Record) approach to conceal user’s identity.
Many of the people on the same field (who sells Offensive Services/Tools) does not like their competitors to win the deal that are advertised on various popular forums out there.
This is where XMPP Spammer comes into the picture…
Real Intention behind to use XMPP Spammer: To flood the competitors/anyone’s XMPP Messenger with junk messages which fails the seller to identify the real business request and disrupt the business.
Here, we are discussing about the SCAM which advertises to sell XMPP Spam Program.
Don’t get confuse between SCAM & SPAM though only a character is different.
I came across this site as a part of my Dark Web Daily Visit,which made me suspicious to go behind the advertised service.
Let’s do an in-depth analysis of each of the mentioned data (checkpoint) by the fraudster.
Here begins the Investigation!
URL:- http://xmppspamc54buwix.onion/
As the site is also present in the Surface Web, let’s dig deep!
CHECKPOINT #1: XMPPSPAM.NET
It is found that this domain name got expired (ATM) and is available to purchase at different price range on several platforms such as:-
But, I was not satisfied with the above result as I was dubious about the past activities of this site (though it’s not registered at the moment).
So I decided to check out the History of the site.
It is notable that the site had been hosted with CloudFlare and then switched to SEDO GmbH — a German-based service provider, in between.
According to the MX Records, it is found that the site initially got fingerprinted on 21st May, 2017. Lets get back to this detail on coming ax
Here, it is evident that a service which was previously present could be returned at any time with their fraudulent service as the site mentions “IS UNDER MAINTENANCE”.
Yes, fraudsters could be scheduling their service here.
CHECKPOINT #2: WHOIS
By checking the WHOIS Record of the site, the following details are found:-
Name: Host Master
Organization: 1337 services llc
Email: whois+xmppspam.net@njal.la
Address: P.O. Box 590
City: Charlestown
State: Charlestown
Country: KN Saint Kitts And Nevis
Phone: +1.4259064769
Fax: +1.4165350123
As expected, the fraudsters had relied on NJALLA Service — A privacy focused Domain Registration Service started by Peter Sunde, who is also the co-founder of PirateBay; to mask their real identity.
In short, this registration details would be by-default provided by Njalla who is being subscribed to their service. Hence, NJALLA sits in between Criminals and Offensive Service which they host.
Domain Name: XMPPSPAM.NET
Domain ID: 2117837728_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2017–04–26T11:50:11Z
Creation Date: 2017–04–26T11:41:21Z
Registrar Registration Expiration Date: 2018–04–26T11:41:21Z
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
It is found the domain name is being registered from TUCOWS which is a favorite selection among attackers before conducting any malicious activities/campaigns on the Internet.
Note: While investigating some of the Ransomware Sites, found they too were relied on Tucows for Domain Registration.
From the above data, it is found that the site was initially registered on 26th April, 2017.
On analyzing further, came across the list of sites that were hosted along with the XMPPSPAM during that time frame, as it was hosted in CloudFlare.
CHECKPOINT #3: JABBER ID
By doing a simple search on “xmppspam@wallstreetjabber.biz”, it is found that the ID is present among the list of Scammers.
Yes, there are underground works like this happening to identify the scammers by various Guardian Angels of Cyberspace.
The above screenshot from this paste where the title of the text is translated (“Kidala” in Ukrainian) to “Throw”. In order to check the genuinity of the paste, done a surface check on some of the IDs and the result was justifying the paste title.
From the JID, it is found that the fraudster is relying on a Bulletproof Jabber Service named WallStreet Jabber which can be reached here.
Note: There are different versions of Jabber with unique features advertised.
It is also notable that the 2nd ID xmppspam@securetalks.biz is also redirecting to WallStreet Jabber, which solidifies the fact that SecureTalks does belong to WallStreet Jabber. Both are registered with PDR (Public Domain Registry).
CHECKPOINT #4: SERVICE NAME
On tailing service name “xmppspam”, I came across a tangible proof.
Here, we came across 4 user accounts as mentioned. They are:-
ejineege30@
daviegril46@
divinesoul11@
confessor@
From this, we came to know that the XMPPSAM is having another domain “xmppspam.space” with TLD “space”, as Onion address was same as explained before.
Note: Jabber Mail maintains the email records from Operators and can be accessed for OSINT Investigation in case of Jabber.
At this point, our Investigation turned to the right track! Now, it was possible to narrow down the search to the location.
CHECKPOINT #5: XMPPSPAM.SPACE
Following the same approach found the following details:-
By checking the MX Records, it is found that this site was hosted in Amazon, detected on 29th September, 2017.
On checking other results, I found another intriguing evidence!
CHECKPOINT #6: CERTIFICATE TRANSPARENCY
From this, it is evident that the site Velmtrade.ru is using the Common Name (CN) as xmppspam.space for their SSL Certificate. This means that Velmtrade somehow is connected to our prime suspect XMPPSPAM.
The emails gathered from Velmtrade and public dorks includes:-
xmppspam@jabber.ru
hostmaster@xmppspam.space
xmppspam@dukgo.com
xmppspam@dukgo.com
xmppspam@jabb3r.org
Soon, I connected the dots and decided to check the SSL Certificate History of the xmppspam.space, then found the fact — that not only 1, but multiple sites are using the same certificate which is assigned to XMPPSPAM.
After a basic search, I found that the site had used Multi-Domain SSL Certificate. This might be due to the fact that the service was relied on CloudFlare (as discussed earlier). However, the certificate was assigned by Comodo CA.
Here is the connection between CloudFlare & Comodo!
Following is the certificate log of xmppspam.space which is assigned on 17th February, 2016.
But irrefutable fact was there are some sites which are having direct connection with XMPPSPAM under single certificate chain such as:-
lukmus.ru (found it along with our suspect on a Russian Forum)
xmppspam.to
securetalks.biz
Note:- Here is the entire chain, where you can analyze yourself.
CHECKPOINT #7: TRACKING ASN
As per the data acquired from Operators Jabber Mail Log, we got that the request came from 252–201–36–78.baltnet.ru. This is the Host Name.
Upon a search, I found the IP address behind this as:- 78.36.201.252
CHECKPOINT #8: INSPECTING IP ADDRESS
On mapping IP Address: 78.36.201.252, this was found:-
By analyzing the IP address, I have found several details regarding multiple attacks emanating from this IP range such as DDoS Attack, Brute Force Attempt, Port Scans, Blackhole Traffic etc.
CHECKPOINT #9: IP WHOIS
This IP address is registered under Rostelecom, based in Kaliningrad, Russia.
Upon digging, following details are found:-
Here, it can be found that both persons are associated with Rostelecom Networks. And it seems to be legit. But again, the real identity of the fraudsters are masked as they registered with this service.
CHECKPOINT #10:SPAM ACTIVITY DETECTION
By checking the ASN number AS12389, it is found that the network have high spam activity. And the same is fingerprinted in Clean Talk Analysis. Following are the details:-
From this, it can be assessed that the network had seen a sudden surge in last month (May, 2020) and recorded it as the highest Malicious Network Activity in the timeline since June 2019.
Again, not to get confused with SPAM & SCAM. Though the network is highly notable for spam activities.
FINAL CHECKPOINT: WARNING FORUM POST
By searching, one of the popular Russian forum landed me on the Fraud Complaint, which appeared on 5th September, 2016.
As per the translation from Russian, following is the message:-
Hello everyone!
I would like to warn everyone about ripping by the "project" xmppspam.space, which is being promoted on the notorious kidding board CCC.MN
So, these crooks took 0.5 BTC to the balance and then simply blocked my account. They do not respond to messages in the gill.
Jabbers threw:
xmppspam@jabber.ru & xmppspam@jabb3r.org & xmppspam@dukgo.com
Be careful not to fall for the tricksThese Checkpoints helped us to reach the conclusion that XMPPSPAM is really a SCAM and the service is hosted on Rostelecom, though the service had been masked behind CloudFlare services.
Here is the Quick Glance of XMPPSPAM timelines:-
xmppspam.net: 26th April, 2017 (Registration)
xmppspam.net: 26th April, 2017 (SSL Records)
xmppspam.net : 21st May, 2017 (MX Record Detected)
xmppspam.space: 30th September, 2016 (First Network Fingerprint detected)
xmppspam.space: 29th September, 2017 (MX Record Detected)
xmppspam.space: 17th February, 2016 (SSL Records)
By analyzing the timelines, it is evident that the XMPPSPAM group had became prominent at different intervals and made an announcement of their return on Onion site.
This is just a kind of DarkWeb Activity spotted and could be adopted by any one who schedules to launch an offensive service.
Just like many Ransomware Operators announces their shutdown by giving-up the decryption keys to the public, and re-appear with a new name after a couple of months with the same/modified codebase; this is a recurring Modus Operandi adopted by attackers/fraudsters.
~~~~~Attackers/Fraudsters Never Retires, They Just Evolves!~~~~~
Hope you enjoyed this Investigative Journey and learned few new things! Don’t forget to clap to reach it to a wider audience. Multi-Claps are supported ;-)
KEY-TAKEAWAYS
>>Fraudster/Attacker could purchase a domain at anytime for a scheduled Attack/Campaign
>>Attackers/Fraudsters could make a comeback at anytime to defraud/offend network users by changing the handle names or communication methods. The only catch is the historical records of the network and back-links.
>>Attackers are more relied on services such as Njalla which is a privacy-focused Domain Registration to keep their identity private.
>>Fraudsters represent themselves with different handles on various forums, targeting different audiences to defraud.
>>SSL Records and Historical Data Never Lies
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
Don’t forget to follow me on Twitter, if you need interesting data points ;-)
