Categories: Cyber Crime

Fraudulent infrastructure behind 5M harvested Russian phone numbers service

Danchev profiling a service which proposes more than 5M harvested mobile phone numbers has discovered a fraudulent architecture used for illicit purposes.

Cybercrime has targeted mobile industry more than ever, the number of attacks is on the rise and the proposal in the underground of tools and services for mobile market is rapidly growing. The attackers are able to adapt their techniques based on victim’s habit and local law framework, an interesting post of Dancho Danchev explained how cybercriminals are evolving their penetration methods for mobile industry through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, “successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile malware/spam campaigns.”

The popular expert has profiled harvests mobile phone number service advertised in the underground, discovering that it aslo proposes SMS spamming and phone number verification services. Recent analysis revealed the cybercriminals ecosystem is also providing Android-based botnet generating tools allowing criminal gangs to arrange large scale scams and malware based campaigns.

Danchev and his team have recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers, the sellers proposed millions of numbers arranged per business status, gender, driving license basis. The service exposes a long-run fraudulent Win32:SMSSend serving infrastructure SEVAHOST-AS Seva-Host Ltd (AS49313), it is interesting to note that the cyber criminals segmented harvested mobile phone numbers of Sochi citizens, and adopted a collection of malicious mobile apps to infect victim’s handset and recruit is in a mobile botnet.

 

 

The researchers discovered that the criminals used the following domain hxxp://instagramm-registration.ru linked having IP address 91.228.155.210, the same address is also used to host other malicious services and domains like rogue games or fraudulent websites.

The criminals also deployed a cloned  service for segmented harvested mobile phone numbers belonging to Sochi citizens on the same IP, probably to segment the offer related specific events like Olympic games launching social engineering driven Android-based malware serving SMS spam campaigns.

 

What’s next?

In the next months the sales model cybercrime-as-a-service will be increasly adopted by cyber criminal groups to monetize their knowledge responding to the increase attention to mobile industry manifested by the international crime.

Pierluigi Paganini

(Security Affairs –  harvested mobile phone numbers, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Palo Alto Networks fixed multiple privilege escalation flaws

Palo Alto Networks addressed multiple vulnerabilities and included the latest Chrome patches in its solutions.…

5 hours ago

Unusual toolset used in recent Fog Ransomware attack

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec…

8 hours ago

Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web

Resecurity researchers found 7.4 million records containing personally identifiable information (PII) of Paraguay citizens on…

21 hours ago

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

1 day ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

1 day ago