Cybercriminals Leveraging Facebook - Security Affairs

longtermagonizingInternet and Web Development

Dec 13, 2013 (3 years and 4 months ago)

57 views




Page |
2



Cybercriminals Leveraging
Facebook

Eric Feinberg, Ian Malloy and Frank Angiolelli



7/8/2013





Page |
3



Table of Contents:

Executive Summary & Diagram
................................
................................
................................
.....................

4

Fake User Profiles

................................
................................
................................
................................
.........

7

The Posts for Counterfeit Merchandise

................................
................................
................................
........

8

Using the Russian Business Network as an Intermediar
y

................................
................................
...........

10

Evidence of Replication

................................
................................
................................
...............................

10

Examples of Mass Redirection Using .tk Websites

................................
................................
.....................

11

Patterns

................................
................................
................................
................................
.......................

11

Scope of Fraud

................................
................................
................................
................................
............

12

Paid Advertisements on Facebook to Counterfeit Merchandise:

................................
...............................

12

The Need For a Detection Mechanism

................................
................................
................................
.......

13

Threat Detection as a Continuous Process

................................
................................
................................
.

14

Conclusion

................................
................................
................................
................................
...................

16

Appendix A: Evidence Of .TK Redirection

................................
................................
................................
...

16

Appendix B: Evidence of POST Method in Unencrypted HTTP

................................
................................
...

18

Appendix C: Matrix of Some Counterfeit Merchandise Websites

................................
.............................

19

Appendix D: Multiple Types of Suspicious Activity

................................
................................
.....................

20

Appendix E: Paid Advertisements for Counterfeit Merchandise

................................
................................

22

Steps Forward……………………………………………………………………………………………………………………………………….31










Page |
4




Executive Summary & Diagram

Malicious actors and cybercriminals are now leveragi
ng social media as a mass distribution system for
advertising counterfeit consumer goods through Facebook and infecting computers to become part of a
botnet, or ring of malicious acting computers operating through a remote mechanism. This activity is
traf
ficking in goods using counterfeit trademarks, leveraging insecure transport for Personally
Identifiable Information and utilizing dubious payment processors. The activity is growing to include
money mule recruitment and “loan origination” as well as opera
ting under a Chinese and Russian
Business Network banner.

This document will lay out evidence that this “system” appears highly organized including creation,
masking and distribution system utilizing a definable pattern of replication. These actors are exp
loiting
Facebook’s inability to detect and react as well as weaknesses in its API to expose mass numbers of
unsuspecting citizens to counterfeit merchandise advertisements per fake profiles. The mechanism by
which the malicious actors are intruding and av
oiding detection is through the use of facebook’s graph
API.

In addition,
these actors
are creating
advertisement
s which are
using
Facebook’s ad
distribution to
present their sites across thousands of groups, more specifically fan pages related to professi
onal sports.

In this document, we will present evidence showing the organized and distributed network these actors
are using, the clearly identifiable patterns and the need for a detection mechanism.







“The clear onus is on the social me
dia site to protect users from exposure, not just
to inappropriate or offensive material, but from material that can steal their
identity or money.



Frank Angiolelli

Page |
5



Page |
6



Figure
1
: Ecosystem

of Facebook Cybercrime
Page |
7


Fake User Profiles

These malicious actors are creating Facebook profiles using fictitious names and a methodology which
follows a distinctive pattern. The actors are creating profiles using the most basic settings and mass
joining
public groups. The number of groups joined ranges from approximately 100 to 400+ per profile
and in virtually all cases, the user has never posted anything on their timeline. Using these groups, the
“advertisement” posts reach upwards of 300,000 people per

fake profile.

Using the profile of Zoe Lim (See
Figure 2
: Fake Profile of Zoe Lim
) as a case study, this “user” joined 194
groups reaching 377,852
1

people without placing a single post or liking a single page. Some of the
accounts have up to 5 liked movie
s or music pages; however none of them have any content posts
outside of public groups.



Figure
2
: Fake Profile of Zoe Lim


A full accounting of all the Facebook profiles is outside the scope of this paper, however, further
examp
les of fake Facebook profiles engaged in this activity include:




1

A review of fake profile Zoe Lim revealed 194 groups with 377,852 members, not accounting for duplicate membership.


Page |
8


Betty Roan, Member of 121 groups
2

Diana Tellez, Member of 301 groups
3

Ward Kelsie, Member of 323 groups
4

The Posts for Counterfeit Merchandise

Once the account is created, it joins hundreds o
f groups and posts ads. The pattern for the posts these
fake profiles are proliferating consist primarily of
a sales pitch, a website link containing various
domains primarily made up from .tk websites
without canonical references followed by a
picture of
the supposed merchandise to be sold.
There are patterns to the post, primarily at this
time a mixture of Ray
-
Ban and Oakley
Sunglasses,

Louis Vuitton and discount shoes (i.e.
www.hotshoessale25.tk
,

www.niceshoeso.tk
,

www.outletshoes.tk
,

www.discountshoes10
.tk
)
as well as other counterfeit merchandise
including NFL jerseys. For the purposes of
brevity, this document will focus mostly on the
counterfeit Sunglasses as evidence of the
pattern, with some brief documentation of the
other merchandise.

The .tk w
ebsites are used as redirectors [
See
Appendix A
]
to the counterfeit merchandise “retail” websites as
evidenced in the traffic below, delivering the victim to 2bestmall.com.

This replicated website [
See “Evidence of Replication”
] is



2

https://www.facebook.com/betty.roan.71?hc_location=stream

3

https://www.facebook.com/diana.tellez.7545?hc_lo
cation=stream

4

https://www.facebook.com/ward.kelsie?hc_location=stream

Example Advertisement Post 2

Example Advertisement Post 1

Page |
9


leveraging cnzz.com (
Se
e Figure 5
), which is a Chinese Content Delivery Network (CDN)[
See Figure 5 &
Figure 6
] that has an extremely poor reputation for hosting exploit code
5
. The payment systems
employed by these websites have a very poor reputation
6

.

Realpay
-
checkout.com is
registered at Godaddy and billingcheckout.com is registered at todaynic.com.


Figure
3
: Leveraging bilingcheckout.com & Chinese CDN


Figure 6: Using realpay
-
checkout.com & Chinese CDN




5

http://www.mywot.com/en/scorecard/cnzz.com

6

http://www.webutation.net/go/review/realypay
-
checkout.com
,


http://www.webutation.net/go/review/billingcheckout.com
,

http://www.sitejabber.com/reviews/www.realypay
-
checkout.com


Page |
10


Using the Russian Business Network as an Inte
rmediary

These actors are using Russian Business Network IP addresses as intermediaries to host the .tk
redirectors. This technique is being used as an evasion tactic to prevent easy discovery and blocking of
the offending counterfeit merchandise website.
The #1 IP address of these .tk redirectors observed in
this study were hosted at 93.170.52.21
7
(
See Figure 7
).


Figure 7: Russian Business Network Hosting .tk Redirectors

Evidence of Replication

The method being used here is replicated over multiple domain
s, with multiple redirectors. The domain,
nice
-
sunglasses.com is registered to a “
Zerubbabel Kahance

.

This name is associated with other
domains. Refer to Appendix C for a full accounting of these, and an example is listed here.



here
-
store.com
8

-

Selling


cheap oakley sunglasses




here
-
best.com
9



Selling “
cheap oakley sunglasses




come
-
sale.com
10



Selling “
cheap oakley sunglasses





Here
-
emall.com
11



Selling “
cheap bikinis




here
-
new.com


Selling “
cheap oakley sunglasses




here
-
yes.com


Selling “
cheap oak
ley sunglasses


The Title being “
Top Ray
-
Ban® And Oakley® Sunglasses Online Store
-
Up To 80% Off !
” is shown on
statscrop.com to match 37 results in total
12
.

These sites have the same setup as nice
-
sunglasses.com
13

using Zen cart
14

and the exact same title HTM
L
tag
15
. The site itself is, for all intensive purposes, a copy of the site at nice
-
sunglasses.com. The
distribution network is the same as well, leveraging .tk redirectors
16
.




7

http://urlquery.net/report.php?id=3280151

8

http://whois.domaintools.com/here
-
store.com

9

http://www.statscrop.com/www/here
-
best.com

10

http://whois.domai
ntools.com/come
-
sale.com

11

http://www.statscrop.com/Here
-
emall.com

12

http://www.google.com/#safe=off&site=&source=hp&q=site:statscrop.com+Top+Ray
-
Ban%C2%AE+And+
Oakley%C2%AE+Sunglasses+Online+Store
-
Up+To+80%25+Off+!&oq=site:statscrop.com+Top+Ray
-
Ban%C2%AE+And+Oakley%C2%AE+Sunglasses+Online+Store
-
Up+To+80%25+Off+!&gs_l=hp.3...740.4231.0.5355.23.22.1.0.0.0.169.1915.15j7.22.0...0.0.0..1c.1.17.hp.vPdrev
-
VGD4&bav=on.2,
or.&bvm=bv.48572450,d.dmg&fp=f53ef48681d7c10d&biw=1214&bih=920

13

http://urlquery.net/report.php?id=3403164

14

<meta∙name="generator"∙content="shopping∙cart∙program∙by∙Zen∙Cart&trade;,∙http://www.zen
-
c
art.com∙eCommerce"

Page |
11


Examples of Mass Redirection Using .tk Websites

The actors create multiple redir
ectors hosted on the same IP address over time. The IP address
176.9.241.1

is associated with 39 .tk redirectors between 05/01/2013 and 06/23/2013
17
. Some
examples are listed here:



h
xx
p://yatl
-
chaffer.tk/



here
-
store.com
18



h
xx
p://vrymall
-
oks.tk



here
-
sto
re.com



hxx
p://bueall
-
loves.tk



here
-
store.com



h
xx
p://supermall
-
malls.tk



here
-
yes.com



h
xx
p://chain
-
shoping.tk




here

ok.com



h
xx
p://service
-
promote.tk



here
-
best.com



hxxp://four
-
transactions.tk


here
-
new.com
19

The majority of these .tk sites observed
and discovered
20

were hosted on the IP addresses 93.170.52.21,
176.9.241.1 and 93.170.52.31.

Patterns


The counterfeit merchandise websites rotate domain, hosting, registrar and geo
-
location, however
distinct patterns exist
across all the websites
being
distributed
centered primarily
against the actual
content. Commonalities exist in the Title and Keywords inside the HTML code which affords a possible
detection. This would seem to support the deficiencies of detecting bad actors based on registrar, host,
IP address or domain name and the need for a tiered based anomaly and known bad detection
mechanism by social
networking providers,
particularly Facebook.

For example Google “
Top∙Ray
-
Ban &
And

Oakley

Sunglasses
Online

Store
-
Up

To

80% Off
!

results in

1
35
,
000

results at






15

<title>Top∙Ray
-
Ban&reg∙And∙Oakley&reg∙Sunglasses∙Online∙Store
-
Up∙To∙80%∙Off∙!</title>

16

http://urlquery.net/report.php?id=3280040

17

http://urlquery.net/search.php?q=176.9.241.1&type=string&start=2013
-
05
-
01&end=2013
-
06
-
29&max=50

18

http://urlquery.net/report.php?id=324275
4

19

http://urlquery.net/report.php?id=2324346

20

http://urlquery.net/search.php?q=%28mall%7Cshoes%7Cshop%7Clove%7Ctransac%7Coakley%7Crayban%7C%5C
-
like%7Clike%5C
-
%29.*%5C.tk&type=regexp&start=2013
-
05
-
01&end=2013
-
06
-
30&max=400

Page |
12


this time. Not all of these are counterfeit merchandise sites; however it reveals a problem so prolific
that individual legal agency seizure of domains may be ineffective. The actors will copy their code to
another domain and stand up hostin
g setting up .tk redirectors.

The speed at which this process can occur without detection is fast enough to cause harm to the
economy on what is likely a very large scale. When these techniques are tied with social networking
sites like Facebook and those
networks are not equipped to detect and prevent such distribution, the
reach vs. cost of this operation makes it very attractive to the criminal element.

Scope of Fraud

The scope of the fraud involved here is not limited to counterfeit merchandise. Through
out the
investigation and information gathering activity on Facebook, our group discovered examples of



Payday Loans (
See Appendix E
)



Facebook sites with redirectors
21
,
22



Suspected Money Mule Recruitment (
See Appendix E
)



Counterfeit NFL Jerseys (
See Appendix

E
)



The installation of remote control capabilities, i.e. a zombie computer or ‘bot’

Paid Advertisements on Facebook to Counterfeit Merchandise:

In Appendix E, a sample of evidence of paid advertisements for counterfeit merchandise is presented.
These ads
are tied to what users “Like” on Facebook. The same methodology that Facebook uses to
target ads to users is being leveraged to present counterfeit merchandise… to users most likely to buy it.

While a network forensic professional can review and identify s
uspicious behavior in these sites, the
average user cannot. The onus must be on the service provider to minimize criminal operations on their
sites. This appears to be a new “type” of malvertisement, not necessarily deploying exploit kits, but
deploying fi
nancial fraud and risk of identity theft.

The advertisement pattern does differ from the current .tk post pattern, tending to use 51.la as their
CDN, however the sites observed in this review used the same dubious billing processors. The site
“luisvuittono
utletcheaps.net” has an
unencrypted

registration mechanism [
see Appendix
E
]
and

only
after you register and place an order is it revealed that the payment processor is billingcheckout.com.




21

hxxps://www.facebook.com/Isellshoe/app_208195102528120

22

hxxp://www.ucool.co/?pagejd

Page |
13



The difference of patterns from the Facebook Fake Profile “Posts
” and the Counterfeit Ads leads to a
question of MO, or
modus operandi
, a concept familiar to law enforcement. Predictable patterns must
be leveraged against the bad actors, which aren’t appearing to happen at this time.

The Need for a Detection Mechanism

There is a clear use case here which appears to have a void at
this time.

This document demonstrates clear patterns of activity by
actors that is detectable using forensic techniques
investigating
nothing more

than the public information
available on Faceb
ook. Our group has clear take
-
away from
this investigation showing that a detection mechanism is not
only possible but would protect the public in general and
enhance the reputation of social media sites like Facebook.
Additionally, the economy as a whole
would benefit from lowering losses due to such fraud. The
detection mechanism incorporates aspects of applied artificial intelligence called a ‘Best
-
First Search’ to
detect anomalies in the system and then a Proactive Automated Defense Unit (PAD Unit) wil
l be utilized
to complete the solution.

Our group believes that the patterns observed here can be expanded upon considerably by performing
data analytics using the full data collected by those sites. This data should be used to extrapolate
predictive behav
ioral models which can be used in a mature process to prevent this activity
programmatically and take down bad actors. The clear onus is on the social media site to protect its
users from exposure, not just inappropriate or offensive material, but from ma
terial that can steal their
identity or money.

The activity in question must be detected through a system that checks the user making the post, the
post text itself, the URLs being posted and then taking action based on acceptable or unacceptable
behavior
models programmatically.

“The clear onus is on the
s
ocial media site to
protect its users
…from
material that can steal
their identity or money.”

Page |
14


For example, canonical checks, content grabbing, IP reputation and a host of other checks can be
performed against the URLs being posted in a staggered approach to allow for high speed, high volume
vetting in a programmatic fashion
. Scoring
mechanisms can be designed to allow for a tiered
processing of links in real time thereby allowing
Facebook to pull posts that are suspect based on
defined parameters.

The accounts themselves can be vetted along multiple
key points to limit the
distribution of these events.

Account Creation Process

The account creation process should contain vetting
mechanisms where by the account is checked for
established patterns in a methodical way. The process
itself should adhere to the Continuous Improvem
ent
Lifecycle and would require human as well as machine intelligence. Initial accounts can be tagged for
validity and passed onto a processor to monitor for suspicious patterns. As part of the quality control
process, any accounts tagged as suspicious sho
uld include an automated challenge response capability
closing in termination of the account.

The Posting Patterns

The posts themselves must run through a series of checks in a tiered manor that will allow for scoring
and action. Predictive analytics and
human generated patterns must be input into a vetting engine that
can then be passed on to deeper inspections. The
process itself must contain automatic challenge
responses and post removal processes to protect the
public from fraud, maliciousness and iden
tify theft
without the need for user interaction.

Threat Detection as a Continuous
Process

This kind of exploitation is not static and requires a
combination of human intelligence and analysis along
with algorithmic detection of anomalous patterns. As
show
n in the diagram below, this process can be best
represented by a sine wave, which allows for variable
frequency and amplitude. The frequency and amplitude represent the speed of the threat lifecycle and
the attack surface, or exposure, respectively.

Page |
15


Page |
16


Co
nclusion

When mass distribution of counterfeit merchandise is coupled with mass distribution of difficult to
detect redirecting links through the premier social networking site, Facebook.com, there is a clear
mechanism to engage in criminal enterprise. It
would appear that criminals have the opportunity, means
and motive and Facebook currently lacks a capable preventive and response mechanism. Unless a
proper threat response to the lifecycle exists, this activity will be proliferated across as many social
e
ngineering sites as possible.

Our solution, a PAD Unit is both within the scope of solving this issue and also addressing the need for a
software program capable of protecting both the users of social media like Facebook© and also the
private industries be
ing taken advantage of. This solution is in the interest of all parties involved except
the criminal element.


Appendix A: Evidence Of .TK Redirection

Parameters:

URL =

http://discount
-
oppud.tk/

UAG = Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116
Safari/537.36

REF = http://www.facebook.com

AEN =


REQ = GET ; VER = 1.1 ; FMT = AUTO

Sending request:

GET / HTTP/1.1

Host:
discount
-
oppud.tk

User
-
Agent: Mozilla/5.0 (Windo
ws NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36

Referer: http://www.facebook.com

Connection: close

• Finding host IP address...

• Host IP address = 128.204.201.9

• Finding TCP protocol...

• Binding to local socke
t...

• Connecting to host...

• Sending request...

• Waiting for response...

Receiving Header:

HTTP/1.1∙301∙Moved∙Permanently
(CR)(LF)

Date:∙Thu,∙27∙Jun∙2013∙22:34:16∙GMT
(CR)(LF)

Server:∙Apache/2.2.24∙(Unix)∙mod_ssl/2.2.24∙OpenSSL/1.0.0
-
fips∙mod_auth_passthr
ough/2.1∙mod_bwlimited/1.4∙FrontPage/5.0.2.2635∙mod_perl/2.0.6∙Pe
rl/v5.10.1
(CR)(LF)

Location:∙http://2bestmall.com
(CR)(LF)



Redirection to counterfeit merchandise website

Content
-
Length:∙228
(CR)(LF)

Page |
17


Connection:∙close
(CR)(LF)

Content
-
Type:∙text/html;∙chars
et=iso
-
8859
-
1
(CR)(LF)

(CR)(LF)

Sending request:

GET / HTTP/1.1

Host: 2bestmall.com

User
-
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36

Referer: http://www.facebook.com

Connection: close

• Finding host IP address...

• Host IP address = 185.3.133.182

• Finding TCP protocol...

• Binding to local socket...

• Connecting to host...

• Sending request...

• Waiting for response...


Receiving Header:

HTTP/1.1∙200∙OK
(CR)(LF)

Server:∙nginx/1.2.4
(CR)(
LF)

Date:∙Thu,∙27∙Jun∙2013∙22:18:47∙GMT
(CR)(LF)

Content
-
Type:∙text/html;∙charset=iso
-
8859
-
1
(CR)(LF)

Transfer
-
Encoding:∙chunked
(CR)(LF)

Connection:∙close
(CR)(LF)

Vary:∙Accept
-
Encoding
(CR)(LF)

X
-
Powered
-
By:∙PHP/5.2.17
(CR)(LF)

Set
-
Cookie:∙zenid=6d71bea6330b90
0388ca93b3af9c72f0;∙path=/;∙domain=.2bestmall.com;∙HttpOnl
y
(CR)(LF)

Expires:∙Thu,∙19∙Nov∙1981∙08:52:00∙GMT
(CR)(LF)

Cache
-
Control:∙no
-
store,∙no
-
cache,∙must
-
revalidate,∙post
-
check=0,∙pre
-
check=0
(CR)(LF)

Pragma:∙no
-
cache
(CR)(LF)

(CR)(LF)


Content (Length = 46
893):

b720
(CR)(LF)

(LF)

<!DOCTYPE∙html∙PUBLIC∙"
-
//W3C//DTD∙XHTML∙1.0∙Transitional//EN"∙"http://www.w3.org/TR/xhtml1/DTD/xhtml1
-
transitional.dtd">
(LF)

(LF)

<html∙xmlns="http://www.w3.org/1999/xhtml"∙dir="ltr"∙lang="en">
(LF)

(LF)

<head>
(LF)

(LF)

<title>Top∙R
ay
-
Ban&reg∙And∙Oakley&reg∙Sunglasses∙Online∙Store
-
Up∙To∙80%∙Off∙!</title>
(LF)



Counterfeit Sunglass Sales Website

-----------------------------
END TRAFFIC PATTERN
----------------------------------

Page |
18



Appendix B:
Evidence of POST
Method in Unencrypted HTTP


HTTP/1.1

Host: 2bestmall.com

Connection: keep
-
alive

Content
-
Length: 169

Cache
-
Control: max
-
age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Origin: http://2bestmall.com

User
-
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWeb
Kit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36

Content
-
Type: application/x
-
www
-
form
-
urlencoded

Referer: http://2bestmall.com/index.php?main_page=checkout_shipping_address

Accept
-
Encoding: gzip,deflate,sdch

Accept
-
Language: en
-
US,en;q=0.8

Cookie: zenid=e482158d1a4fc0bb3e2b8218f4cd83b6; CNZZDATA5264794=cnzz_eid%3D1499499975
-
1372379098
-
http%253A%252F%252F2bestmall.com%26ntime%3D1372379098%26cnzz_a%3D10%26retime%3D1372
380023470%26sin%3Dnone%26ltime%3D1372380023470%26rtime%3D0;
RpCookie=6k8hup
5ph6pl60eqvn3v3agjs4


DNT: 1


gender=m&firstname=Bob&lastname=Jones&street_address=15+Main+Street&suburb=&city=Beverly+
Hills&zone_id=12&postcode=90210&zone_country_id=223&action=submit&x=39&y=7



Page |
19


Appendix C: Matrix of Some Counterfeit Merchandise Website
s


Site
Daily Bandwidth
Age
Title
Name Server -
Primary
IP Address
Keywords
Date
Reference
here-store.com
24.23 MB (726.87
MB/month)
4 months
Cheap Oakl ey
Sungl asses,
Cheap Ray-Ban
Sungl asses On
Sal e
ns1.cl oudang.com
(50.115.129.33)
172.245.213.118
home base cash
advance debt
consol i dati on here-
store.com
2/19/2013
http://www.statscr
op.com/www/here-
store.com
here-best.com
Taken Down by
Greer Burns &
Crai n
4 months
Taken Down
Taken Down
Taken Down
Taken Down
Taken
Down
come-sal e.com
42.84 MB (1.25
GB/month)
4 months
Top Ray-Ban®
And Oakl ey®
Sungl asses
Onl i ne Store-Up
To 80% Off ! Free
Shi ppi ng On
Orders Over 5
Items.
mns01.domai ncont
rol.com
(216.69.185.34)
204.74.216.23
Cheap Oakl ey
Sungl asses, Cheap
Ray-Ban
Sungl asses On
Sal e
2/21/2013
http://www.statscr
op.com/www/come-
sal e.com
here-emal l.com
Unknown
4 months
Cheap∙Bi ki ni s,C
heap∙Brand∙Prod
uct
mns01.domai ncont
rol.com
(216.69.185.34)
204.74.215.59
Cheap Bi ki ni s,
Cheap Brand
Product
2/19/2013
http://www.statscr
op.com/www/here-
emal l.com
here-new.com
1.30 GB (39.10
GB/month)
4 months
Ray-Ban® And
Oakl ey®
Sungl asses
Onl i ne Store-Up
To 80% Off !
ns1.oraco.net
192.227.139.187
Cheap Oakl ey
Sungl asses, Cheap
Ray-Ban
Sungl asses On
Sal e
2/19/2013
http://www.statscr
op.com/www/here-
new.com
here-yes.com
Taken Down by
Greer Burns &
Crai n
Taken Down
Taken Down
Taken Down
Taken Down
Taken
Down
Taken Down
Page |
20


Appendix D: Multiple Types of Suspicious Activity

Payday loans














Counterfeit NFL Merchandise














Page |
21


Suspected Money Mule Recruitment

Suspect “Loan”
Providers

Suspected Money Mule Recruitment with Unencryp
ted Data Transport



This tiny.cc URL redirects you to wobmr1r66.blogspot.tw, which requests your personal information.

Page |
22










Appendix E: Paid Advertisements for Counterfeit Merchandise

The advertisements listed on the right hand side of this screensho
t are for counterfeit merchandise
hosted in China.

Page |
23




While not pictured here, this site uses billingcheckout.com


Page |
24



When creating an account, the data is transmitted unencrypted:


POST /create_account.html HTTP/1.1


Host: www.louisvuittonoutletcheaps.ne
t

Connection: keep
-
alive

Content
-
Length: 386

Cache
-
Control: max
-
age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Origin: http://www.louisvuittonoutletcheaps.net

User
-
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36

Content
-
Type: application/x
-
www
-
form
-
urlencoded

Referer: http://www.louisvuittonoutletcheaps.net/create_account.html

Accept
-
Encoding: gzip,deflate,sdch

Accept
-
Language: en
-
US,en;q=0.8


Cookie: zenid=7
6307818ab1ac31f6e65fe6b1b0005be; AJSTAT_ok_pages=2;
AJSTAT_ok_times=1



securityToken=9dc4a61d1389c0332b58a2ce8ec0a767&action=process&email_pref_html=emai
l_format&
firstname=Magilla
&
lastname=Gorilla
&street_address=1+Main+Street&should_be_e
mpty=&city=Beverly
+Hills&zone_id=12&state=CA&postcode=90210&zone_country_id=223&tel
ephone=874
-
478
-
9874&
email_address=ilovetoscam%40gmail.com&password=password1
&confirmation=pa
ssword1&email_format=TEXT&x=45&y=
19


Page |
25


Registrant Contact Details:


PrivacyProtect.org


Domain
Admin (contact@privacyprotect.org)


ID#10760, PO Box 16


Note
-

Visit PrivacyProtect.org to contact the domain owner/operator


Nobby Beach


Queensland,QLD 4218


AU


Tel. +45.36946676


Once you create an account, you can place your
order which is processed by
Billingcheckout.com



Page |
26





Page |
27


As evidenced in the transaction listed below, this website is leveraging Chinese CDNs and the
disreputable payment website “billingcheckout.com”



The ownership information traces back to China


Doma
in ID:CNIC
-
DO473296

Domain Name:51.LA

Created On:2005
-
01
-
17T01:00:00.0Z

Last Updated On:2012
-
03
-
14T16:59:32.0Z

Expiration Date:2017
-
01
-
17T23:59:59.0Z

Status:TRANSFER PROHIBITED

Status:RENEW PERIOD

Registrant ID:P
-
23189298

Registrant Name:Yang Fucheng

Regis
trant Street1:5
-
32, 55 Jingsan Road

Registrant City:Zhengzhou

Registrant Postal Code:450008

Registrant Country:CN

Registrant Phone:+86.37168712665

Registrant Email:nuduseng@hotmail.com

Admin ID:P
-
23189298

Admin Name:Yang Fucheng

Admin Street1:5
-
32, 55 Jing
san Road

Admin City:Zhengzhou

Page |
28


Admin Postal Code:450008

Admin Country:CN


JerseysCheapWholeSaler.us

The below information shows a single advertisement for jerseyscheapwholesaler.us. This website is a
Chinese counterfeit merchandise operation for NFL Jerseys
.


http://urlquery.net/report.php?id=3405561



Page |
29







Domain Name: JERSEYSCHEAPWHOLESALER.US

Page |
30


Domain ID: D35251725
-
US

Sponsoring Regi
strar: ENOM, INC.

Sponsoring Registrar IANA ID: 48

Registrar URL (registration services): whois.enom.com

Domain Status: clientTransferProhibited

Registrant ID:

DD78B8C58242F7FF

Registrant Name: shi manyang

Registrant Address1: taijiang qu

Registrant City: fuzhou

Registrant State/Province: fujian

Registrant P
ostal Code: 350004

Registrant Country: China

Registrant Country Code: CN

Registrant Phone Number: +86.13358216111

Registrant Email: smy21@126.c
om

Registrant Application Purpose: P1

Registrant Nexus Category: C12

Administrative Contact ID: 324AF205097DFF8C

Administrative Contact Name: shi manyang

Administrative Contact Address1:

taijiang qu

Administrative Contact City: fuzhou

Administrative Contact State/Province: fujian

Administrative Contact Postal Code: 350004

Administrative Contact Country: China

Administrative Contact Count
ry Code: CN

Administrative Contact Phone Number: +86.13358216111

Administrative Contact Email: smy21@126.com

Billing Contact ID: DD78B8C58242F7FF

Billing Contact Name: shi many
ang

Billing Contact Address1: taijiang qu

Billing Contact City: fuzhou

Billing Contact State/Province: fujian

Billing Contact Postal Code: 350004

Billing Contact Country:

China

Billing Contact Country Code: CN

Billing Contact Phone Number: +86.13358216111

Billing Contact Email: smy21@126.com

Billing Application Purpose: P1

Billing Nexus Category:

C12

Technical Contact ID: B23D2804097DFF8C

Technical Contact Name: shi manyang

Technical Contact Address1: taijiang qu

Technical Contact City: fuzhou

Techni
cal Contact State/Province: fujian

Technical Contact Postal Code: 350004

Technical Contact Country: China

Technical Contact Country Code: CN

Technical Contact Phone Number: +86.1335821611
1

Technical Contact Email: smy21@126.com

CustName: Anxin

Address: Chengdu

City: Chengdu

StateProv: SICHUAN

PostalCode: 55001

Country: CN

RegDate: 2012
-
06
-
30

Updated: 2012
-
06
-
30

Page |
31


Steps
Forward



A solution has been suggested in this write
-
up, namely the Proactive
Automated Defense Unit. The PAD Unit will be detailed now to a degree,
though a complete description will be withheld at this time to protect Malloy
Labs’ proprietary intellect
ual property. The complete PAD Unit relies on
proprietary algorithms to actively search through anomalies using methods
from artificial intelligence that are quantitatively shown to be superior to
using decision trees.


The use of AI in cyber defense is a

burgeoning but young field, but
Mr. Malloy is confident in his ability to combine the two given his funding
from the United States of America National Aeronautics and Space
Administration South Dakota Space Grant Consortium to design multi
-
sensory
AI. Mr
. Malloy has taken from this several aspects of AI that can be applied
safely to cyber security, a field in which he has received awards from
competing in the South Dakota Governor’s Giant Vision and also the South
Dakota Technology Business Center’s accel
erator program for start
-
ups.


This unique knowledge gives a key advantage to the authors to produce
a solution. Mr. Angiolelli is extremely gifted in big data analysis as well
as reverse engineering of malware and offers key insight into how to produce
a
n automated solution to solving problems such as the one Facebook now faces
and has faced for over a year. Mr. Feinberg excels in Human Intelligence and
Social Engineering offering a much needed “EyeOn” the threats. Combined with
Mr. Malloy’s gifts the t
eam can easily implement both a short term and long
term solution to the problem, should companies need such a solution.


Mr. Malloy outlined a three PAD unit approach to solving governmental
defense and attack needs as outlined in his write
-
up to the NATO

CyCon 2013.
Only the defensive PAD Unit will be deployed to fix the problems social
networks such as Facebook have, limiting the response Unit to block as
opposed to shutting down the servers associated, despite the fact that all
servers associated with
the problems outlined in this white
-
paper only
involve those known for acting maliciously. The team is fully capable of
mitigating loss and preventing fraud should companies need such action to be
taken.


Ian Malloy


CEO Malloy Labs Llc. 605
-
251
-
4662

Eri
c Feinberg


CEO EyeOn Intellectual Property Protection 917
-
566
-
0661

Frank Angiolelli


Independent Security Researcher 914
-
589
-
4474