In May 2015, KrebsOnSecurity briefly profiled “The Manipulaters,” the identify chosen by a prolific cybercrime group primarily based in Pakistan that was very publicly promoting spam instruments and a spread of providers for crafting, internet hosting and deploying malicious electronic mail. Six years later, a assessment of the social media postings from this group exhibits they’re prospering, whereas fairly poorly hiding their actions behind a software program growth agency in Lahore that has secretly enabled a whole technology of spammers and scammers.
The Manipulaters’ core model within the underground is a shared cybercriminal id named “Saim Raza,” who for the previous decade throughout dozens of cybercrime websites and boards has peddled a preferred spamming and phishing service variously referred to as “Fudtools,” “Fudpage,” “Fudsender,” and so on.
The frequent acronym in almost all of Saim Raza’s domains through the years — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime assets that may evade detection by safety instruments like antivirus software program or anti-spam home equipment.
The present web site for Saim Raza’s Fud Tools (above) provides phishing templates or “rip-off pages” for a wide range of fashionable on-line websites like Office365 and Dropbox. They additionally promote “Doc Exploit” merchandise that bundle malicious software program with innocuous Microsoft Office paperwork; “scampage internet hosting” for phishing websites; a wide range of spam blasting instruments like HeartSender; and software program designed to assist spammers route their malicious electronic mail by means of compromised websites, accounts and providers within the cloud.
For years main up to 2015, “[email protected]” was the identify on the registration data for 1000’s of rip-off domains that spoofed a number of the world’s prime banks and model names, however significantly Apple and Microsoft. When confronted about this, The Manipulaters founder Madih-ullah Riaz replied, “We don’t intentionally host or enable any phishing or every other abusive web site. Regarding phishing, at any time when we obtain criticism, we take away the providers instantly. Also we’re working enterprise since 2006.”
Two years later, KrebsOnSecurity obtained an electronic mail from Riaz asking to have his identify and that of his enterprise associate faraway from the 2015 story, saying it had harm his firm’s skill to keep secure internet hosting for his or her secure of domains.
“We run hosting enterprise and due to your submit we bought very critical issues particularly no knowledge middle was accepting us,” Riaz wrote in a May 2017 electronic mail. “I can see you submit on arduous time criminals we aren’t criminals, at the very least it was not in our information.”
Riaz mentioned the issue was his firm’s billing system erroneously used The Manipulators’ identify and call info as a substitute of its purchasers in WHOIS registration data. That oversight, he mentioned, induced many researchers to erroneously attribute to them exercise that was coming from only a few unhealthy prospects.
“We work arduous to earn cash and it’s my request, 2 years of my identify in your great article is sufficient punishment and we discovered from our errors,” he concluded.
The Manipulaters have certainly discovered a number of new methods, however retaining their underground operations air-gapped from their real-life identities is mercifully not one among them.
ZERO OPERATIONAL SECURITY
Phishing domains registered to The Manipulaters included an handle in Karachi, with the cellphone quantity 923218912562. That identical cellphone quantity is shared within the WHOIS data for 4,000+ domains registered by means of domainprovider[.]work, a website managed by The Manipulaters that seems to be a reseller of one other area identify supplier.
One of Saim Raza’s many advertisements within the cybercrime underground for his Fudtools service promotes the area fudpage[.]com, and the WHOIS data for that area share the identical Karachi cellphone quantity. Fudpage’s WHOIS data record the contact as “[email protected],” which is one other electronic mail handle utilized by The Manipulaters to register domains.
As I famous in 2015, The Manipulaters Team used area identify service (DNS) settings from one other blatantly fraudulent service referred to as ‘ContemporarySpamTools[.]eu,’ which was supplied by a fellow Pakistani who additionally conveniently bought phishing toolkits focusing on quite a few massive banks.
The WHOIS data for ContemporarySpamTools briefly record the e-mail handle [email protected], which corresponds to the e-mail handle for a Facebook account of a Bilal “Sunny” Ahmad Warraich (a.ok.a. Bilal Waddaich).
Warraich’s Facebook profile says he works as an IT assist specialist at a software program growth firm in Lahore referred to as We Code Solutions.
A assessment of the internet hosting data for the corporate’s web site wecodesolutions[.]pk present that over the previous three years it has shared a server with only a handful of different domains, together with:
The profile picture atop Warraich’s Facebook web page is a bunch photograph of present and former We Code Solutions workers. Helpfully, most of the faces in that photograph have been tagged and related to their respective Facebook profiles.
For instance, the Facebook profile of Burhan Ul Haq, a.ok.a. “Burhan Shaxx” says he works in human relations and IT assist for We Code Solutions. Scanning by means of Ul Haq’s infinite selfies on Facebook, it’s not possible to ignore a sequence of pictures that includes numerous birthday desserts and the phrases “Fud Co” written in icing on prime.
Yes, from a assessment of the Facebook postings of We Code Solutions workers, it seems that for at the very least the final 5 years this group has celebrated an anniversary each May with a Fud Co cake, non-alcoholic glowing wine, and a Fud Co occasion or group dinner. Let’s take a better take a look at that scrumptious cake:
The head of We Code Solutions seems to be a man named Rameez Shahzad, the older particular person on the middle of the group photograph in Warraich’s Facebook profile. You can inform Shahzad is the boss as a result of he’s on the middle of just about each group photograph he and different We Code Solutions workers posted to their respective Facebook pages.
Shahzad’s postings on Facebook are much more revelatory: On Aug. 3, 2018, he posted a screenshot of somebody logged right into a WordPress web site underneath the username Saim Raza — the identical id that’s been pimping Fud Co spam instruments for shut to a decade now.
“After [a] very long time, Mailwizz prepared,” Shahzad wrote as a caption to the photograph:
Whoever managed the Saim Raza cybercriminal id had a penchant for re-using the identical password (“lovertears”) throughout dozens of Saim Raza electronic mail addresses. One of Saim Raza’s favourite electronic mail handle variations was “[email protected][pick ISP here]”. Another electronic mail handle marketed by Saim Raza was “[email protected]”
So it was not shocking to see Rameez Shahzad submit a screenshot to his Facebook account of his laptop desktop, which exhibits he’s logged right into a Skype account that begins with the identify “recreation.” and a Gmail account starting with “bluebtc.”
KrebsOnSecurity tried to attain We Code Solutions by way of the contact electronic mail handle on its web site — [email protected][.]pk — however the message bounced again, saying there was no such handle. Similarly, a name to the Lahore cellphone quantity listed on the web site produced an automatic message saying the quantity is just not in service. None of the We Code Solutions workers contacted instantly by way of electronic mail or cellphone responded to requests for remark.
FAIL BY NUMBERS
This open-source analysis on The Manipulaters and We Code Solutions is damning sufficient. But the true icing on the Fud Co cake is that someday in 2019, The Manipulaters failed to renew their core area identify — manipulaters[.]com — the identical one tied to so most of the firm’s previous and present enterprise operations.
That area was shortly scooped up by Scylla Intel, a cyber intelligence agency that makes a speciality of connecting cybercriminals to their real-life identities. Whoops.
Scylla co-founder Sasha Angus mentioned the messages that flooded their inbox as soon as they arrange an electronic mail server on that area shortly stuffed in most of the particulars they didn’t have already got about The Manipulaters.
“We know the principals, their precise identities, the place they’re, the place they hang around,” Angus mentioned. “I’d say now we have a number of thousand displays that we may put into proof probably. We have them six methods to Sunday as being the blokes behind this Saim Raza spammer id on the boards.”
Angus mentioned he and a fellow researcher briefed U.S. prosecutors in 2019 about their findings on The Manipulaters, and that investigators expressed curiosity but additionally appeared overwhelmed by the quantity of proof that would wish to be collected and preserved about this group’s actions.
“I believe one of many issues the investigators discovered difficult about this case was not who did what, however simply how a lot unhealthy stuff they’ve carried out through the years,” Angus mentioned. “With these guys, you retain happening this rabbit gap that by no means ends as a result of there’s at all times extra, and it’s pretty astonishing. They are prolific. If they’d midway respectable operational safety, they might have been actually profitable. But fortunately, they don’t.”