Fraudulent infrastructure behind 5M harvested Russian phone numbers service

Pierluigi Paganini March 20, 2014

Danchev profiling a service which proposes more than 5M harvested mobile phone numbers has discovered a fraudulent architecture used for illicit purposes.

Cybercrime has targeted mobile industry more than ever, the number of attacks is on the rise and the proposal in the underground of tools and services for mobile market is rapidly growing. The attackers are able to adapt their techniques based on victim’s habit and local law framework, an interesting post of Dancho Danchev explained how cybercriminals are evolving their penetration methods for mobile industry through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, “successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile malware/spam campaigns.”

The popular expert has profiled harvests mobile phone number service advertised in the underground, discovering that it aslo proposes SMS spamming and phone number verification services. Recent analysis revealed the cybercriminals ecosystem is also providing Android-based botnet generating tools allowing criminal gangs to arrange large scale scams and malware based campaigns.

Danchev and his team have recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers, the sellers proposed millions of numbers arranged per business status, gender, driving license basis. The service exposes a long-run fraudulent Win32:SMSSend serving infrastructure SEVAHOST-AS Seva-Host Ltd (AS49313), it is interesting to note that the cyber criminals segmented harvested mobile phone numbers of Sochi citizens, and adopted a collection of malicious mobile apps to infect victim’s handset and recruit is in a mobile botnet.

 Mobile Cybercrime Harvested Mobile Phone Numbers

 

The researchers discovered that the criminals used the following domain hxxp://instagramm-registration.ru linked having IP address 91.228.155.210, the same address is also used to host other malicious services and domains like rogue games or fraudulent websites.

The criminals also deployed a cloned  service for segmented harvested mobile phone numbers belonging to Sochi citizens on the same IP, probably to segment the offer related specific events like Olympic games launching social engineering driven Android-based malware serving SMS spam campaigns.

Mobile Cybercrime Harvested Mobile Phone Numbers 3

 

What’s next?

In the next months the sales model cybercrime-as-a-service will be increasly adopted by cyber criminal groups to monetize their knowledge responding to the increase attention to mobile industry manifested by the international crime.

Pierluigi Paganini

(Security Affairs –  harvested mobile phone numbers, cybercrime)



you might also like

leave a comment