Making money with Black Magic!
This investigation will utilize the following techniques...
A. Search Google with terms of interest and look for signs of malicious intent/anomalies
B. Investigate search results deeper for info gathering purposes
C. Pivot on Items of Interest, Indicators of Compromise/Association/Anomalies
D. Create Summary of Findings report and complete investigation
Using these techniques with your own skills/methodology will result in actionable intelligence that can 'tell a story' around an area of interest. Your results will depend on your own creativity, time boxing & toolsets/datafeeds available.
*theLostRabbit approaches rabbithole cautiously*
A. Choose area of interest for search topic.
Let's dive into a "Make money fast" rabbithole if we can. Using GOOGLE SEARCH we will search for the following terms (using the PAST 24 HOURS advanced search parameter)...make money fast and easy
Now let's look at the results. Ooh. The second result looks interesting...
Simple witchcraft spell to gain money in one night
hXXp://midalva[.]se/kcg/Xgf
That URL definitely seems promising. Should we click it? Absolutely!
----------------------------------------------------------------------
B. Analyze results & perform INFO GATHERING...
Let's click that link from above and see where the rabbithole takes us.
 |
| Loading Screen... |
WHOOPSY! SCAREWARE / FAKE TECH SUPPORT!!
Who's voice is that? You have my Facebook login? My bank account?! OMFG!@#$
LANDING PAGE: hXXp://www[.]big-shot-seller[.]us/
IP ADDR/ASN: 198.54.115[.]15 / AS22612
NEXT PIVOT ITEMS:
- 1-866-331-7691
- Error # 268D3
- 198.54.115[.]15
- big-shot-seller[.]us
Examining the redirect sequence - what the hell just happened?
Taking a look at the code at hXXp://midalva[.]se/kcg/Xgf and we can validate what connections have occurred...
Using the 'Developer Tools' of the browser we can identify dependent requests made during initial page load...
hXXp://zxb[.]krabns[.]com/be7a481cd.js?r=https%3A%2F%2Fwww.google.com%2F%3Fq%3Dnight%26qtk%3D1&page=http%3A%2F%2Fmidalva.se%2Fkcg%2FXgf&ti=98222&tg=42075,
Code loading from zxb[.]krabns[.]com is injecting unwanted content into the view and redirecting the browser to mobilezone24[.]com which then redirects to big-shot-seller[.]us (our SCAREWARE/FAKE TECH SUPPORT landing page).
NEXT PIVOT ITEMS:
- zxb[.]krabns[.]com
- mobilezone24[.]com
NEXT STEPS in INFO GATHERING:
Let's connect to our original link (hXXp://midalva[.]se/kcg/Xgf) again using different browsers and maybe a different GEOGRAPHICAL LOCATION (using Proxy Services, VPN or TOR to randomize your source IP address). This may yield different results and landing pages (more info gathering!).
REQUEST #1 SEQUENCE:
Upon loading our original link, we are presented with an animated loading page (I will provide additional variations of loading pages below) and then directed through a 302 redirect chain and sent to www[.]kimlostlovespells[.]com.
 |
| Click to ZOOM! |
 |
| http://www.kimlostlovespells.com |
NEXT PIVOT ITEMS:
- Spells with Results
- by Professor Ali Khim
- WhatsApp/Phone: +256703106587
- kimlostlovespells[.]com
- 64.237.55[.]221
- meta[.]7search[.]com
REQUEST #2 SEQUENCE:
Yikes! More SCAREWARE/FAKE TECH SUPPORT! Redirect chain/sequence info below...
Redirect chain for Request #2:
302 - zxb[.]krabns[.]com/be7a481cd.js?
302 - xmlfeed[.]info:8080/click?node=54&
302 - 64.15.72[.]104/click.php?go=aHR0cD
302 - 64.15.72[.]104/click_second_new3.php
302 - go[.]quali-bid[.]com:17777/click.php?
302 - singlesmatch[.]xyz/clicktracker-qualibid.php
302 - 52.25.80[.]191/1-844-284-7333/
301 - 52.25.80[.]191/1-844-284-7333/chrm
200 - 52.25.80[.]191/1-844-284-7333/chrm/
NEXT PIVOT ITEMS:
- 1-844-284-7333
- Error # 268D3
- 54.52.120[.]211
- xmlfeed[.]info
- 64.15.72[.]104
- go[.]quali-bid[.]com
- singlesmatch[.]xyz
- 52.25.80[.]191
REQUEST #3 SEQUENCE:
Here we end up at bing.com and results for the search terms:
simple witchcraft spell to gain money in one night
No Micro$oft rabbitholin' for me (for the moment)...I'm out!
NEXT PIVOT ITEMS:
You could gather the URLS and domains from top search results and perform whois & OSINT lookups to gain more infos.
----------------------------------------------------------------------
OTHER OBSERVED LOADING SPLASH PAGES:
C. NEXT PIVOT ITEMS: Reverse Lookups, OSINT & Making Connections!
We now have a nice list of data points to look into as a next step. Where do we start? Which info do we dive into first? Let's organize a quick list of all of our data...GROUP 1:
1-866-331-7691
Error # 268D3
198.54.115[.]15
big-shot-seller[.]us
GROUP 2:
zxb[.]krabns[.]com
mobilezone24[.]com
GROUP 3:
Spells with Results
by Professor Ali Khim
WhatsApp/Phone: +256703106587
kimlostlovespells[.]com
64.237.55[.]221
meta[.]7search[.]com
GROUP 4:
1-844-284-7333
Error # 268D3
54.52.120[.]211
xmlfeed[.]info
64.15.72[.]104
go[.]quali-bid[.]com
singlesmatch[.]xyz
52.25.80[.]191
---------------------------------------------------------------
And now let's start with the first group and pick 1 or 2 data points...do a quick reverse lookup, gather new infos and then move on to the next group and pick another data point.
So we will now start with GROUP 1...
DOMAIN: big-shot-seller[.]us
1. WHOIS LOOKUP: https://www.whois.com/whois/big-shot-seller.usName: Aniket Kumar
Organization: Microlive
Email: kaniket239@gmail[.]com
Address/Phone:
5701 Yatchman Ct
Brown Summit, NC 27214
+1.8669556652
PIVOT ON EMAIL ADDR: kaniket239@gmail[.]com
RESULTS (BLACKLISTED DOMAINS ASSOCIATED WITH EMAIL ADDR):
card0-us0-reaward[.]us
click-thru-obi-28[.]us
error-activation-0xc0000433[.]us
error-go-sites-get-code-0x00003121[.]us
error-recovery-0xc0000524[.]us
fast-rew0r0ds-away[.]us
gifts-online-get[.]us
in-rew00rds-prog0am[.]us
perfect-rew0fard-web[.]us
rewa0rds-we0b-off[.]us
us-breaking-news[.]us
us-news-express[.]us
windows-error-page-report[.]us
windows-online-reporting-error-0xc00000361[.]us
windows-security-alert-error-code[.]us
windows-web-security-error[.]us
windows-error-server-0xc0000617[.]us
20 MORE RECENTLY OBSERVED DOMAINS ASSOCIATED WITH EMAIL ADDR:
name-blue-ribs[.]us
silver-jsr-pot[.]us
four-who-gone[.]us
greek-name-get[.]us
film-on-kite[.]us
green-popular[.]us
violet-pee-on[.]us
bulb-maze-art[.]us
match-like-pic[.]us
walk-out-show[.]us
active-on-road[.]us
wind-on-vibe[.]us
flap-mud-pen[.]us
curtain-glow-fit[.]us
grey-portal-kite[.]us
button-case-fill[.]us
tape-cover-ample[.]us
relation-off-leg[.]us
glass-convect-case[.]us
ballot-box-pix[.]us
---------------------------------------------------------------
Now moving on to GROUP 2...
HOST: zxb[.]krabns[.]com
1. WHOIS LOOKUP: https://www.whois.com/whois/krabns.comName: Whois Agent
Organization: Domain Protection Services, Inc.
Email: krabns.com@protecteddomainservices.com
Address/Phone:
PO Box 1769
Denver, CO 80201 US
Phone: +1.7208009072
Fax: +1.7209758725
--------------
PIVOT ON IP ADDRESS (20 ADDITIONAL ASSOCIATED SUBDOMAINS RECENTLY OBSERVED):
axg[.]krabns[.]com
br[.]krabns[.]com
cfje[.]krabns[.]com
ch[.]krabns[.]com
dk[.]krabns[.]com
fet[.]krabns[.]com
il[.]krabns[.]com
jkbd[.]krabns[.]com
kec[.]krabns[.]com
lpp[.]krabns[.]com
nnoi[.]krabns[.]com
qzp[.]krabns[.]com
seiy[.]krabns[.]com
tbvw[.]krabns[.]com
tsu[.]krabns[.]com
uo[.]krabns[.]com
vfsj[.]krabns[.]com
xnxe[.]krabns[.]com
yuzh[.]krabns[.]com
zxb[.]krabns[.]com
4 HOSTS/DOMAINS OBSERVED ON SAME IP BUT FROM DIFFERENT DOMAINS:
contmritirc[.]myvnc[.]com
coultretmig[.]serveftp[.]com
ns1[.]luddns[.]com
anew[.]noip[.]me
---------------------------------------------------------------
Diving in to GROUP 3 and an observed domain name....
Diving in to GROUP 3 and an observed domain name....
DOMAIN: kimlostlovespells[.]com
Name: KHIM CASTER
Organization: KHIM SPELLS
Email: tmaniac68@gmail[.]com
Address/Phone:
BAY AREA CALIFORNIA
SAN FRANSCISCO, CALIFORNIA 94101 US
+1.4157621722
QUICK PIVOT ON EMAIL ADDR (ADDITIONAL ASSOCIATED DOMAIN NAMES):
africanexperiencesafaris[.]com
bagempireshopping[.]com
bestmagicandspells[.]com
cashmoneytemplates[.]com
cocaweu[.]org
core-initiativeug[.]org
glatteegroup[.]com
greatspellcaster[.]com
illuminatimasters[.]com
ingwegroup[.]com
kimlostlovespells[.]com
love-lovespells[.]com
lovespells-caster[.]com
lovespellsandrituals[.]com
lovespells-psychic[.]com
lovespellskim[.]com
mamahajaraspells[.]com
nativelovespells[.]com
powerfulnativespells[.]com
profmamafahimah[.]com
profmamahamidah[.]com
realspellsandmagic[.]com
sodexelectronics[.]com
soullightmin[.]org
spellsdoc[.]com
spellshome[.]com
tech-fanatic[.]com
ugacep[.]org
---------------------------------------------------------------
And finally, GROUP 4...
HOST: go[.]quali-bid[.]com
HOST/SUBDOMAIN: go[.]quali-bid[.]com (64.15.72[.]46)
MAIN DOMAIN: quali-bid[.]com (64.15.72[.]44)
QUICK PIVOT ON IP ADDR (64.15.72[.]44) USING P4SSIVET0T4L:
Pivoting on the IP Address reveals additional QUALIBID branded hosts as well as references to previously hosted 'meta[.]7search[.]com.qualibid[.]com'. We have now observed both 7search and Qualibid in multiple requests/sequences and are starting to make some connections/associations.
D. SUMMARY OF FINDINGS: Putting some of the pieces together
Now that we have completed our INFORMATION GATHERING phase we can focus on tying our connections together (if possible) and providing some context around our data and begin to tell a story and/or form new questions to be answered (and in the process create the Summary of Findings report and complete the investigation).
Let's recap...
1. Searching Google with the search terms "make money fast and easy" (and 'Past 24 hours') we discover an anomalous URL associated with 'midalva[.]se', a seemingly harmless website (in this case, the owners of this site may have been hacked and are potentially the VICTIMS in this case).
From their website (translated):
"We produce magazine Forest Technology and is responsible for advertising magazine Machine contractor. We can take on more sell orders as well as for the copy and journalist freelancing.
two co-owners
Midälva Information has two shareholders: Ove Jansson, editor, journalist and copy and Tomas Nordmark, advertising sales and finance manager. Besides Thomas and Ove Christer Nilsson company employee. He works remotely with selling ads to the newspaper Forest Technology and newspaper machine contractor."
Also, searching Google for the domain name (midalva[.]se) results in a warning to potential visitors of their website:
Notice the first result from Google has the warning "This site may be hacked" after the URL. Google lists them as a "Marketing consultant in Sundsvall, Sweden". If we take a look at Google Safe Browsing there is no indication there is a problem with this site. Hmmmmm.
 |
| https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=midalva.se |
NEXT STEPS:
Email or telephone the discovered contacts for 'midalva[.]se' to assist with remediation of staged fraudulent hosts (DOMAIN SHADOWING VICTIMS?).
----------
2. From 'midalva[.]se' we observe browsers redirected to 'krabns[.]com' (potential VICTIMS however more information is needed to verify) and then to 'xmlfeed[.]info'. Additional traffic directors/advertisers were observed including: quali-bid[.]com, meta[.]7search[.]com & singlesmatch[.]xyz/clicktracker-qualibid[.]php.
NEXT STEPS:
Email or telephone the discovered contacts for 'krabns[.]com' to assist with remediation of staged fraudulent hosts (DOMAIN SHADOWING VICTIMS?).
More research needs to be done on Qualibid, XMLFeed, 7search & Singlesmatch (and possible Clicktracker connection).
----------
3. One of the LANDING PAGES observed was 'www[.]kimlostlovespells[.]com' which has known reputation issues (screenshot of RipoffReport entry below).
 |
| http://www.ripoffreport.com/reports/kimlostlovespellscom/-/kimlostlovespellscom-ali-khim-i-was-so-stupid-uganda-kampala-1364110 |
"I was so stupid to send this guy 2000$ because he said I had some dangerous devils around me and needed to be dealt with. He is the worst person ever. Please don't ever trust this guy, he comes up with the most lame excuses to scare you. He asked me for extra 2200$ to send him cuz he needed to cleanse my money apparently and when I refused to send him that he said that he couldn't help me because apparently it's all my fault. I would never trust this guy. I am sharing This because I don't want anyone else to fall for this crap. Please stay away from this spell caster he is full of crap and bull s***."
Name: KHIM CASTER
Organization: KHIM SPELLS
Email: tmaniac68@gmail[.]com
WhatsApp/Phone: +256703106587
Could this "ACTOR" be associated with the AD NETWORKS or TRAFFIC DIRECTORS observed in our requests driving traffic to their domain for PSYCHIC SERVICE FRAUD (also...how can they not see this coming)?
NEXT STEPS:
Check for connection between domain owner and TRAFFIC DIRECTORS/AD NETWORKS observed.
----------
4. One of the LANDING PAGES observed was 'big-shot-seller[.]us which is associated with a known THREAT ACTOR (associated email address owns several domain which are currently blacklisted).
Name: Aniket Kumar
Organization: Microlive (additional ORG Names observed)
Email: kaniket239@gmail[.]com
Could this "ACTOR" be associated with the AD NETWORKS or TRAFFIC DIRECTORS observed in our requests driving traffic to their domain for the purpose of financial fraud & PHISHING SCAMS?
NEXT STEPS:
Check for connection between domain owner and TRAFFIC DIRECTORS/AD NETWORKS observed.
https://www.cursivesecurity.com/blog/2017/domain-shadowing/
"Domain shadowing is when a hacker gets access to your domain registration account, like at GoDaddy, and creates subdomains under your domain."
------------------
POSSIBLE THREATS (ACTOR/GROUP) DETECTED!- KHIM SPELLS | Professor Ali Khim | tmaniac68@gmail[.]com
- Aniket Kumar | Microlive | kaniket239@gmail[.]com
- SHADY AD NETWORKS / TRAFFIC DIRECTORS
------------------
BLACKLISTED DOMAINS DETECTED!Aniket Kumar (kaniket239@gmail[.]com) currently owns several domains themed around SCAREWARE, FAKE TECH SUPPORT, CARD & REWARD SCAMS that are BLACKLISTED (PHISHING & MORE)!
------------------
POSSIBLE PSYCHIC SERVICE FRAUD DETECTED!KHIM SPELLS/Professor Ali Khim (tmaniac68@gmail[.]com) currently owns several domains themed around MAGIC, SPELLS, WITCHCRAFT AND MONEY. This person has known reputation issues around their domain and services (courtesy of the RipoffReport).
------------------
RECOMMENDATIONS:- Add all associated domains to BLACKLISTS and propagate to all Security Devices & Service Nodes network-wide.
- Secure all domain accounts, change passwords and implement 2FA (Two-Factor Authentication) to access ADMIN panels/consoles.
- Remove any unwanted subdomains/hosts from ZONE files and cached DNS services.
- Remove rogue/unwanted directories & HTML files from compromised web servers.
- Analyze web framework used for Traffic Distribution Systems.
No comments:
Post a Comment