Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Из России с любовью

leave a comment »

DFPKSUCPTSWXMPF

Exposed.su

exposed.su_links_inout

A site popped up with the domain name exposed.su and within the pages (other than malware lurking for an IE exploit) sits all kinds of personal financial data for famous people. Among the people hit on this site were the likes of Hillary Clinton, Al Gore, FBI Director Mueller and others. The data on the site seems to be somewhat legit and soon after the page made a splash in the news the DOJ (FBI) Secret Service (USSS) and others had the governmental people’s links pulled off of cloudflair’s servers. After looking at some of the data myself before it was pulled I thought I would just have a look-see at this domain and what I could gather as to who was doing it. After some Maltego (RADIUM) work I began to realize that this all seemed to be emanating out of Russia. The domain was registered using an email address for “allperson.ru” which upon further searches turned up a den of sketchy sites.

Domain Data:

domain: EXPOSED.SU
nserver: dave.ns.cloudflare.com.
nserver: fay.ns.cloudflare.com.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: exposed.su@allperson.ru
registrar: REGTIME-REG-FID
created: 2013.03.06
paid-till: 2014.03.06
free-date: 2014.04.08
source: TCI

Last updated on 2013.03.14 17:21:38 MSK

I then followed up with searches for allperson.ru email addresses and attendant domains attached to them. What I found was a pattern of behavior showing that most of these email addresses were for scam sites, free MP3 or video sites, and one forum for all kinds of coding and what looks to be scam techniques. Basically, I think that whoever set up this exposed.su site is affiliated with allperson.ru and or Legato LLC (scammers) and the information and connections you will see below. Of note though is that in the case of the exposed.su site there is nothing that directly ties it to anyone in particular. However, once you start digging around you can make connections between individuals and groups including addresses/persons involved in the ZEUS botnet.

Allperson.ru

allpersonRU_

domain:        ALLPERSON.RU
nserver:       ns1.tuthost.com.
nserver:       ns2.tuthost.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Andrej V Punegov
phone:         **********
e-mail:        an@kazancity.net
registrar:     REGTIME-REG-RIPN
created:       2007.09.25
paid-till:     2008.09.25

Allperson.ru was a service/site that had about 5 email servers and was originally registered back in 2008. As you can see from the above domain data it was registered by a “Andrej V Punegov” Searches for Andrej give up a laundry list of sites and data that he has been affiliated with in the past. Not much more comes up in the “Googles” so I will leave it at that for the moment. The list of sites though that he has registered is long so it is likely that this is another player who has moved on to bigger and better scams… If that is a real name at all. The email address provided also gives up some interesting hits including an IRC site which I will leave for another day.

Another interesting email address in the allperson.ru set was demand.su@allperson.ru This address was directly tied to the ZEUS botnet that was taken down by M$ and is listed in the plaintiff filing  So here we have a direct tie of this allperson domain to Zeus and only a handful of email addresses. Could it be that this is all tied together? In fact, look at the email name “demand.su” the same format as exposed.su … Coincidence?

dema ndsu_ZEUS

wml.su_forum

Проверка домена
e-mail: wml.su@allperson.ru
e-mail: evgenij.w@gmail.com
e-mail: wml.su@mail.ru
nserver: ns1.wml.su. 62.149.12.117
nserver: ns2.wml.su. 62.149.13.81
created: 2006.06.29

wml.su

wml.su_fraudster

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration date: 2007-11-02
Last updated: 2012-02-11
Expiration date: 2013-11-02
Owner, Administrative, Technical Contacts:
Email: evgenij.w@gmail.com [4 domains use this email]
Name: Evgenij Ermolenko [4 domains use this name]
Phone: +3.80976061100 [4 domains use this phone]
Address: Katyuzhanka
Katyuzhanka
Kiev Oblast,07313
UA
WML2.COM IP: 62.149.13.81
The IP belongs to ISP COLOCALL LTD
ISP domain: COLOCALL.NET

Then there is wml.su@allperson.ru which has an interesting history and present. It ties to a domain/site forum.wml.su which happens to be a little forum for what looks to be warez and other illicit things as well as possibly a hub for site design and programming. The owner of this site also listed evgenij.w@gmail.com as an alternate email address. Following up on this address we get information that shows this email was used on 4 domains and within that you get a new name: Evgenij Ermolenko who has quite the digital breadcrumb trail to follow. Now Evgenij’s site wml.su has also been shown to be a site for infecting phones with trojans (see above) and seems to be quite the player here in the world of malware and scams.

Evgenij… Time to worry a little I think. Probably not much as you are located in Oblast, or Moscow, or.. Who the hell knows. The fact of the matter is you are one of those Russian bandito boys that pretty much never gets caught by the long arm of the law right?

Legato LLC

legato_llc

.

geo

Then there is Legato LLC. This is an interesting little corporation out of Oblast (coincidences coincidences) that has had it’s share of run in’s with illegality. Under private ownership it is alleged to have been created in 1970? It’s *cough* businesses cover anything from advertising to email and information technology. Hmmmm one wonders if they had a hand in the creation of allperson.ru and maybe still have some email servers that are being pointed at? Either way, it seems that Legato may have also been involved in the ZEUS botnet as well because the players here all seem to be connected by their digital trails as well as penchants for naming conventions. One of the scam sites was geo electronics and it seems that they were in the business of straight out fraud as well as money laundering and mule recruitment. Oh yeah, it’s getting deep now eh? It would seem that this rabbit hole goes on further but I am getting claustrophobic in it so I will leave off here with the detective work.

Conclusions:

Ok so what do we have? Well, we have a constellation of sites tied to an old defunct email system that seems to have ties to Legato LLC and to Zeus as well as money laundering and such. Why then does this site pop up and start dumping data on famous people’s credit histories? Histories and information that may not in fact be correct to begin with? Even though the USSS and FBI are looking into this I have to wonder if the data was correct. I am hearing that some of the phone numbers were not right at all and that this all really ties back to some hack on credit services this week. What is the motive here? Well, the Twitter feed and one of the links seem to point to someone with a grudge against the LAPD (re the Dorner affair) and the police in Russia. Since the twitter feed is down I missed the tweet that mentioned that but meh, I am not the caring at present.

Could this be an Anon motivated kind of thing? Well, the imgur picture of the girl on the page does come from an anonymous tied/named site but that is really tenuous to start but it could be. Overall though this site and the data seems to have rankled the feds a bit so maybe it was just for the lulz. Could this person just have access to the site data and used it to make this site and make it look like it came from Russia? Maybe.. But overall the feel of it and the acillary data seems to show that it was someone involved in the Russian sites including Zeus. PERHAPS they are just pissed off that their money making scheme vis a vis ZEUS got shut down?

That’s a lot of maybes huh? But hey, them’s the internetz kids. Your mileage may vary but keep an eye on this one because I am sure there are more than a few subpoena’s going out to Cloudflair where this is all hosted. One of the funniest things about this site though was that one of the links was to a credit dispute site. Now that’s cheeky!

K.

Written by Krypt3ia

2013/03/14 at 18:02

Posted in Blackhat, Cracking, crime

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: