A Story About Chocolate Bunnies, Walmart, and an Indian Crime Syndicate Known As the "Hangover" Group
On Easter Sunday, my mom made her traditional weekend phonecall to catch up on life and Facetime with my two daughters (to see their chocolate-bunny-covered faces). As we were talking, my mom casually mentioned that she had computer problems earlier in the week, and that the technical support representative was very nice and helpful. This statement immediately rang alarm bells in my head—I’m my mom’s technical support, and I had not provided any help recently.
Immediately, I started to interrogate my mom to assess the situation. Apparently, she had picked up her prescription from Walmart, and on the back of the receipt was a request to fill out a customer satisfaction survey at http://survey.walmart.com. Unfortunately, my mom mistyped the URL and went to the typosquatted domain http[:]//surveywalmart[.]com (notice the lack of a period between survey and walmart), where she was greeted with the following page:
My mother proceeded to panic and called the number listed in the modal popup. The polite customer service representative promptly calmed my mother down and socially engineered away her email address, mailing address, phone number, and the MAC address of her iPad. She also gave the associate her credit card number and worked with the individual to change several settings on her iPad.
After calling her credit card company to cancel my mom's card and forcing her to travel down to the local Apple store to restore her iPad settings (instructing my mom to make these changes over the phone is an exercise in futility), it was time to take advantage of the wonderful set of RiskIQ tools at my fingertips. Hopefully, it was time to make operations a bit more painful for these actors.
Looking at surveywalmart[.]com in PassiveTotal (below), we can see several interesting data points:
- A historical view of the IP resolution for this domain
- Points in time when the domain resolved to a different IP
- Registrant/Registrar information related to the domain
- Tags associated to the indicator that show that the domain is in RiskIQ’s blacklist and that it is active
First, we can see that the domain was registered back in 2009, and where it was parked up until November 10th of last year:
In November through late January, the domain was routable and resolvable to an IP address in Switzerland, then moved to an IP in Amazon Web Services (AWS). As seen in the screenshot above via open-source intelligence from Norman antivirus available directly through PassiveTotal (requiring no additional research), the older IP address is attributed to a group of India-based attackers dubbed “the Hangover group”:
Looking at WhoIS tab for the domain surveywalmart[.]com, we can see additional information that correlates to the Hangover group, namely the use of an Indian Registrar (Tirupati Domains and Hosting), registered using privacy protection:
We can also see several other domains that resolve to the same IP address:
Leveraging RiskIQ’s global virtual-user infrastructure, we crawled surveywalmart[.]com, which uncovered more details about the Hangover group’s infrastructure. Below, we see surveywalmart[.]com redirected to http[:]//nkqgy.voluumtrk.com:
Note that while voluumtrk[.]com associates to the Internet marketing company Codewise, the particular subdomain nkqgy.voluumtrk[.]com associates with other scareware/tech support scams within RiskIQ’s blacklist. For example, the below screenshot shows the threat sequence in which nkqgy.voluumtrk[.]com redirects to quiz-online[.]xyz, where this final URL presents the scam pop-up and attempts to leverage the vibrate mode to scare the victim:
Additionally, if we look back at my original screenshot, we can see that the site surveywalmart[.]com redirects to http[:]//apple-security-warning[.]info. Searching for apple-security-info[.]info in PassiveTotal returns the following:
As we can see, this domain started resolving two days ago. Again, pivoting based on IP, reveals that this IP is associated to at least another 133 domains, one of which is flagged as phishing in RiskIQ’s blacklist:
In a matter of minutes, I was able to leverage PassiveTotal and RiskIQ to build the additional context and indicators related to the Hangover group needed to take action as a cyber security researcher, a brand owner (Walmart), or a domain management company (Neustar). RiskIQ has submitted both surveywalmart[.]com and apple-security-warning[.]info for browser-based blocking to both Google Safe Browsing and Microsoft’s SmartScreen browser filters to help protect consumers, but these malicious websites are still live at the point of writing this blog post. We recommend Walmart investigate the domain in question and take the appropriate action.
As one can see, this campaign has been simple and very effective at fleecing consumers at web-scale for quite some time, likely earning them a great deal of money. Fortunately for my mom (and her credit card company), I was able to intervene and help with this specific incident.
It's important to note that Walmart is very much a victim in this situation as well: this incident is probably one of a thousand papercuts Walmart’s security team responds to on a daily basis related to fraud, which can add up to a much deeper wound. But by leveraging RiskIQ, I was easily able to identify a large portion of the Hangover group’s infrastructure that could be blocked and reported, impacting their ability to monetize and potentially deterring them from targeting more victims.