Sponsored by..

Tuesday, 2 April 2013

"Russian Hackers" spam / kidala.info / hack-sell.su

These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?

Date:      Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject:      Russian hackers has you neo!

Russian hackers has you neo!
kidala dot info
or this kidala.info

==========================

Date:      Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject:      Russian hackers has you neo!

Need buy some shells?
http://kidala.info

==========================

Date:      Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject:      Russian hackers has anything you need.

World Best hack conference hereurl here: kidala.info

==========================

Date:      Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject:      World Interesting hack site here

Hi Manurl here: http://hack-sell.su

==========================

Date:      Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject:      Russian hackers mafia OWNS YOU!

Russian mafia has you...
hack-sell.su
or this hack-sell dot su

==========================

Subject:      Russian bad boys forum here, come join!

World baddest hackers join us hereurl here: hack-sell .su

==========================

Date:      Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject:      Russian hackers has anything you need.

Prime hack portal here!
hack-sell dot su
or this hack-sell dot su 

(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).

But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.

This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.

The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.

Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here

36 comments:

Ashley said...

Have seen a couple of these. Also some are addressed to a company director and have two other email addresses in the cc for the same domain. One is a miss parse of webmaster@????.co.uk.

Conrad Longmore said...

@Ashley: interesting.. I wonder if the directors are being picked out deliberately. I do think that these addresses are being carefully picked out to cause maximum annoyance.

Damian Hall said...

Hello there im having the same emails coming through.
My seam the be from my own hosts email account.
For eg I have a email damian@blabla.co.uk and info@blabla.co.uk. the damian email I what seams to be sending me the emails. That email isnt my actual email either just an example. Its really anoyying because I then get an auto response email to myself. Im worried that my emals have been hacked so going to phone my host tonight.

Conrad Longmore said...

@Damian: all these emails has forged "from" addresses, usually matching one of the "to" addresses. Your email hasn't been hacked, these forgeries are trivially easy,

Koos van den Hout said...

I am seeing the same spam, and I sometimes mention spam and scams on my private website. So I would agree with the theory of causing maximum annoyance.

Damian Hall said...

@conrad. Thanks for you reply. I didnt even know that was possible so thanks. It is so annoying. The other thing was its my own company and company email so maybe its something to do with me being a director. Wish there was something they could do about there nuisance spam emails.

allen holmes said...

I recently have been recieving e-mails trying to get my details over to them, saying that had won a large amount off money...I told them where to go and now I'm also getting the russian mafia thing.

allen holmes said...
This comment has been removed by the author.
Ashley said...

@Conrad It would appear that they harvested the email addresses from somewhere other than our own services. Specifically I think they have come from publicly available company registration information, widely available online.

Conrad Longmore said...

@Ashley, it might be a spear-phishing list. That could contain company directors. The people behind the spam possibly have access to data like this.

Me said...
This comment has been removed by the author.
Me said...

I've had loads of these emails in the last 48hrs im glad alot of people are getting them because i thought perhaps it was was a personal attack or something since it targeted 2 of my email addresses.

Terri Ferguson said...

Thank you Conrad for your explanation and for answers and insight from the other commenters as well. I got about 30 of these emails last night and went into total panic until I found this website. I am no-where near a director and it is a personal email address, however I have also recently been receiving junk mail regarding all the lotteries and payouts that are waiting for me to claim them so perhaps they are all linked.
What really worried me was the fact that it was my own email address that was being used and I was worried that I might have exposed my friends and family to a hacker.
Guess it is just a case of waiting for them to get bored and go away

Me said...

We got hacked by them 2 days after getting these emails....

"Your Website Got Hacked By Neo Haxor :P"

buckwildbill said...

I'm getting about 20 or so of these emails a day to a webmaster@ address on one of my domains for the past few days.

Bazza said...

Looks very much like a Joe job to me. The fourth day of receiving this Spam. I notice kidala.info is back online, but is password protected. SpamCop now reports http://kidala.info/ has been appealed previously. Seems like CloudFlare happy to provide a service to this type of site.

Ovo said...

Those spams are different for one more reason. As I can see in my domain spam collector on Google Mail, they are targeting e-mail addresses, which did not receive any spam so far, while avoiding those ones, that are receiving spams frequently.
So they use very reliable target address source, which annoys me most.

Llamas said...

I've received around 60 of them in the last three days. I'm listed as a company director (sole trader) and they are deeply annoying but having had threats recently from a "hacker" (ie some incredibly stupid little tart who tried to blackmail me, with really badly spelled nonsense, over Facebook - yup, you're SO a hacker love) I was worried she might be making good. Glad to see it's not just me though it's INCREDIBLY irritating.

Björn Bouvier said...
This comment has been removed by the author.
Llamas said...

Interesting though, I'm in design/illustration and while I follow, eg, Anonymous and whatnot on Twitter, I'm not involved in any practical way with hacking - spamming me would do nothing cos I have no 'industry' clout or links or anything (thought that was worth pointing out).

Björn Bouvier said...

Every day, I also get spammed by this Russian mafia thing, mentioning the kidala web page. But it is only my Yahoo account that is affected by this spam.

Rupert Parsons said...

I've also had dozens of these over the past few days, some from random names and some as if from my own email address. Is there a a way of blocking these? Clearly I cant block emails from myself!

Rob Kendall said...

So is there anything we can do to stop these e-mails coming through?
They are incredibly annoying.

Conrad Longmore said...

A good spam filter should be blocking all or most of these already. The problem is that every email provider handles spam differently, so it isn't possible to give specific guidance.

Normally Joe Job attacks last for a few days and stop, either achieving what they aimed for or failing. If you are getting plagued by these then it will probably stop soon.

Papajis said...

I am a company Director and have been receiving many of these over the last 4 days. I've changed all my passwords and run a scan with nothing stopping them. Scan did pull up a Trojan called Chronoski (or something there abouts, should have written it down before having it removed) but even though this has been removed and not coming up on previous scan, I'm still getting spammed. And like others, some of them are from myself!!

How can we stop this? Help!!

Unknown said...

If it is a "Joe Job", it has succeeded, because the company that provides DNS-services (translates their domain-name to an IP-address) is supplying the "reserved" IP-address ('loopback' <-> 127.0.0.2), instead of the actual IP-address of the site:


Name: www.kidala.info
Address: 127.0.0.2


kidala.info nameserver = ns2.parkingcrew.net
kidala.info nameserver = ns1.parkingcrew.net

So, when you try to connect, you are connecting _only_ to your OWN computer.




Unknown said...

The spammers seem to have widened their target E-mail IDs, judging by the headers of the E-mail that I received:

From: ,
,
,
,

Cc: ,
,
,

To: ,
,
,
,

Cc: ,
,
,

Unknown said...

Ack!

This blog accepts the "less-than" symbol in the "comment" area, but does not change it to '<', so that anything I type between a "less-than" and a "greater-than" character is not visible to anybody displaying this blog.

Unknown said...

Ack, again!

I typed "ampersand-ell-tee-semicolon", and it too was not "escaped". So, anybody viewing the blog will see "<" instead of seeing "&lt;".

Bad programming!!!

Unknown said...

This lack of "escaping" might allow me to enter text like:

&lt;script src="http://hacker.website.owned.by.me" &gt;

Anybody viewing the blog would have their web-browser embed the JavaScript from that "rogue" web-site.

Bad, bad, bad!

ShaneTFletcher said...

The IP of the emails is - 190.237.90.3.
The location is the following -

Calle San Felipe 1144 - Surquillo, 1144,
LI34 - Lima -
PE
phone: +51 1 2106771

For the good will of the internet users!

Ann Millar said...

Thank you so much for this site. I'm a director of my own (small) company. I received the first email from my own company address on 31st March with the heading 'Russian Mafia Hackers Owns You'. I panicked, contacted my host administrator at midnight who immediately changed my passwords but then received another 5 mails. I changed my password again and haven't connected to the server since. I have of course reported the incident to the authorities. I've now lost a week's worth of business! How do I know if they've definitely hacked my account, or it's a spam attack?

Conrad Longmore said...

@Ann, your email account has not been hacked. If a spam email appears to be "from" yourself, it is almost always because of spoofing which is trivially easy to do. It's a bit technical, but I have tried to explain what is happening here.

Dan Horridge said...

Hello All,

I had a lot of these recently.

The IP address 2.134.226.164 is apparently Khazakstan (JSC Kazakhtelecom, East Kazakhstan Affiliate, Metro Ethernet Network)

The domain kidala.info they want me to click/report is registered in Panama. And like someone has already mentioned resolves to local host.

What a waste of everyone's time!!!!

****SPAM MESSAGE BELOW*****
****(Some < and > replaced with ( and ))****
****Also replaced my e-mail address witrh me@mydomain.com****

Received: from [2.134.226.164] (port=52279 helo=9theolddistillery.com)
by just134.justhost.com with esmtp (Exim 4.80)
(envelope-from (nebularudv@9theolddistillery.com))
id 1UNl7s-0004Lb-JR
for me@mydomain.com; Thu, 04 Apr 2013 08:26:52 -0600
Received: from 2.134.226.164(helo=pzdyo.eqxij.info)
by with esmtpa (Exim 4.69)
(envelope-from )
id 1MM8UW-2917kt-MJ
for me@mydomain.com; Thu, 4 Apr 2013 17:26:51 +0300
To: (me@mydomain.com)
Subject: Russian bad boys forum here, come join!
From: (me@mydomain.com)
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-Spam-Exim: 7_uhaKTXs5yUFRKI89NENZrU

(!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN")
(HTML)(HEAD)
(meta http-equiv="Content-Type" content="text/html; charset=windows-1251")
(/head)
(body )
World baddest hackers join us hereurl here: http://kidala.info(/BODY)(/HTML)

Hack Facebook said...


Good blog you've got here.. It’s hard to find high-quality writing like yours these days. I really appreciate people like you! Take care!! Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.org and start hacking.

jeanette B, Michigan said...


stop sending me viruses, i know who you are,i am keeping my mouth shut, not reporting anyone to any authorities, so just leave me the @#$% alone, you lowlife spammers! you're safe, no worries
From: chicklesnpeas46
To: 8d53a1149f416e081da8981871f146c9-534925 <8d53a1149f416e081da8981871f146c9-534925@contact.gandi.net>
Date: Sun, Sep 1, 2013 6:46 pm





if you keep trying to put a virus on my computer I will take action, if you threaten me, I will take action, if you keep messing with me, or my family or friends, or neighbors, i'll take action, and if I get one more attempt to put a virus on my computer through email or otherwise, I will take immediate action, DO YOU UNDERSTAND!!!!!!!!!!!!! You people are evil scam artists, and I hope you get what's coming to you someday, I won't be a part of turning you slimy scumbags in, " for now" and I won't at all, as long as you leave me and my family alone, and back the HELL OFF!!!!!!!!!! I am not afraid of you, no matter how much money, power, resources or people you have in your sick vpn community, I am a Christian, that does good, I have a good heart, I am a child of God, and there is only 1 God, no ala, no sun God's, no nothing just one, that is Jesus Christ, my savior, and you and your satanic evil actions will be stopped and I will say one more thing, Get behind me now satan and all of your demons and evil doers, in the name of Jesus I command you to get away from me, my computer my home, my phone,my pets, my family, the power of Christ step on you all, and crush you, I annoint this email in the name of Jesus with the blood of Christ. Amen.



you know who I am : )



Actions Flag Clear flag Print Message Show Message Status View Message Source --------- Move to: Inbox Spam Trash Saved Mail Saved Chats



***************************


i know you are associated with arin.net, project honeypot, havenwyck hospital, dar essulam, and much much more, so do not continue your harrassment towards me
From: chicklesnpeas46
To: ""\"8d53a1149f416e081da8981871f146c9-534925 <8d53a1149f416e081da8981871f146c9-534925\"" <"8d53a1149f416e081da8981871f146c9-534925 <8d53a1149f416e081da8981871f146c9-534925""@contact.gandi.net
Date: Sun, Sep 1, 2013 6:51 pm





if you want me to get all of the evidence I have against all of you in your community, and deliver it directly to nancy grace, of hln, fox news, cnn, msnbc, whether you think you own them or not, I will find someone who is not a part of your criminally insane sick operations and you will all rot in prison!!!!!!!!!!!! I am a woman scorned and a force you do not want to continue to come up against, stop messing with me as of right now!!!!!!!! 6:51 pm Sunday, Sept, 1 2013 and stay off my phones too!!!!! i have had to replace my laptop 4 times in a year and a half, my cellphone, 5 times in the last year and a half because of your hacking and viruses!


Actions Flag Clear flag Print Message Show Message Status View Message Source --------- Move to: Inbox Spam Trash Saved Mail Saved Chats

Go to the previous message Go to the next messageGo to the next message control+alt+pageup Close messageClose message escape


© 2013 AOL Inc. All Rights Reserved
Standard VersionTerms of ServicePrivacy PolicyAbout Our AdsContext Sensitive Shortcuts