Rack of Ethernet switches.

Keeping Track of the Bad Guys

Keeping Track of the Bad Guys

When I took some Russian classes at Purdue, I was one of the few non-ROTC students in the room. In that same spirit of "know your adversary"....

Criminal Markets

There are sites where "carding" or selling stolen credit card information goes on openly. Also counterfeit currency, stolen smart phones, etc. OmertaHack is one example.

Hackers in the Classic Sense of the Term

Magazines and web sites catering to the community of bad guys, or at least security researchers plus some wannabe bad guys and posers, include 2600 and Phrack.

Hacker hangouts and groups providing information exchange and tools include the Chaos Computer Club Berlin.

Hacker Technology

There are lots and lots of ready-to-compile programs for testing your systems with the same weapons the hackers will use. Start looking at Packet Storm Security and AntiOnline

Stack smashing refers to a specific form of attack on poorly coded memory management code. There was a great paper on how to exploit poor coding via buffer overflow and related attacks in Phrack volume 49, "Smashing The Stack For Fun And Profit". Get the original paper at insecure.org Packet Storm.

There's a nice follow-up paper on writing advanced buffer overflow exploits.

Spamming and Stolen Accounts

Criminal organizations openly sell access to hacked systems and spamming software. I received the following email. "WebMails" will mean stolen webmail accounts, "Shells" mean access to hacked Linux/UNIX systems, "RDP" mean access to hacked Windows systems.

From: TOOLX.SX <info@bmw-avtoport.ru>
Subject: FRESH SPAM TOOLS ON SHOP (SMTP UNLIMITED + RDP FRESH IP)
Reply to: TOOXSHOP@YAHOO.COM

TOOLX.SX - Support 24/7 - WELCOME

  * WebMails : with only _10$_ .
  * Inbox Mailers : Starting from _7$_ .
  * Shells _5$_ .
  * Gold Unlimited Smtp's : _6$_ .
  * Big & Fresh Leads : Starting with _10$_ .
  * RDP's ( WIN 2008 & 2003 & 7 & XP ) : Starting with Only _10$_ .(Administrators)
  * Private Scam Pages , Tutorials , Tools , Exploits , Scripts in Sections :
    Files & Hack & More Tools Just Register on toolx.sx <http://www.toolx.sx> .
  * Go to toolx.sx <http://www.toolx.sx> , Register , ADD Funds To Your Account
    : http://toolx.sx/balance.php <http://www.toolx.sx/balance.php>
    ***

            NEW BIGG UPDATE: - RDP = USA & Worldwide [2003-2008] / Shells /
	    SMTPs / Mailers / Leads / cPanel. - Support 24/7 - WELCOME

We Currently Accept as Method of Add Funds :
*Bitcoin* & *PerfectMoney*& *Coupon Code System*
If you not have account , Free Register at *http://toolx.sx* <http://www.toolx.sx>


Sincerely,

toolx.sx SHOP Team ©
Web: *http://toolx.sx* <http://www.toolx.sx> ******************

**********Login at our shop now: *Go to store now <http://www.toolx.sx>***********

© Toolx.sx - The Best Store 2012-2015


  toolx.sx

Let's look at the headers to see where this came from:

Return-Path: info@bmw-avtoport.ru
Received: from resimta-po-12v.sys.comcast.net (LHLO
 resimta-po-12v.sys.comcast.net) (96.114.154.140) by
 resmail-ch2-291v.sys.comcast.net with LMTP; Thu, 16 Jun 2016 04:50:34 +0000
 (UTC)
Received: from mail.visko-td.ru ([92.39.142.238])
        by resimta-po-12v.sys.comcast.net with comcast
        id 7GqW1t00g58p8DG01GqXy2; Thu, 16 Jun 2016 04:50:33 +0000
X-CAA-SPAM: N00001
X-Authority-Analysis: v=2.2 cv=Z6cDJDZA c=1 sm=1 tr=0 p=CuUU-2S5AAAA:8
 p=FQcSCCfIWczPZYWNgecA:9 p=IC0bq68s7SMhLFC5:21 a=A0n+dx4VeM4CxFeTCCKc1A==:117
 a=A0n+dx4VeM4CxFeTCCKc1A==:17 a=9cW_t1CCXrUA:10 a=Dyoqhi_TatcA:10
 a=47kyEjea234A:10 a=Cfj4BQAnxiAA:10 a=QHxmGfcNzOwA:10 a=pD_ry4oyNxEA:10
 a=8AvH1LBivTgA:10 a=XH8yafb-v7IA:10 a=pnnV3C4PK3yGex1eHNS2:22
X-Xfinity-Message-Heuristics: IPv6:N
Received: from localhost ([127.0.0.1])
        by mail.visko-td.ru (Kerio Connect 8.0.0);
        Thu, 16 Jun 2016 07:50:28 +0300
Reply-To: <TOOLXSHOP@YAHOO.COM>
From: "TOOLX.SX"<info@bmw-avtoport.ru>
Subject: FRESH SPAM TOOLS ON SHOP (SMTP UNLIMITED + RDP FRESH IP)
Date: Thu, 16 Jun 2016 05:50:28 +0100
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 

They're not trying to hide! This seems to have come right out of mail.visko-td.ru, and the IP block 92.39.136.0/21 is allocated to InterTelecom ISP in Ryazan, Russia.

Back to the main Security Page