Category Archives: news alert

UK Redstation Malware Haven

Money Mules/Malwares Hosting Provider A sanctuary For Cybercriminals

This  hosting company (data center) is hosting several of the money mule  and malwares sites we are encountering.scamalert
IP 109.73.77.82 = AS35662 = REDSTATION Redstation Limited

Postal address:
Redstation Limited
2 Frater Gate Business Park
Aerodrome Road
Gosport
Hampshire
PO13 0GW
UNITED KINGDOM

Telephone:
Enquiries: 0800 622 6655
24/7 Support: 0800 987 5640
International Enquiries: +44 1329 828224
International Support: +44 1329 243123

Name Server: NS1.MERXS.SU
Name Server: NS2.WERMO.SU
Name Server: NS3.MARSO.CC

Calling from abroad

From overseas please call us on +44 1329 828224 or for technical support call +44 1329 243123

To discuss your requirements call us on: 0800 622 6655 or email sales@redstation.com

Address lookup

canonical name http://www.redstation.com

aliases
addresses 149.3.142.10

Domain Whois record
Queried whois.internic.net with “dom redstation.com

Domain Name: REDSTATION.COM
Registrar: TUCOWS DOMAINS INC.

Whois Server: whois.tucows.com

Referral URL: http://domainhelp.opensrs.net
Name Server: DNS1.REDSTATION.CO.UK
Name Server: DNS2.REDSTATION.CO.UK

Status: clientTransferProhibited
Status: clientUpdateProhibited

Updated Date: 15-oct-2010
Creation Date: 21-sep-1999
Expiration Date: 21-sep-2020

Last update of whois database: Sat, 15 Jun 2013 00:45:19 UTC
Queried whois.tucows.com with “redstation.com”…

Registrant:
RACKCENTRE LIMITED
Wentworth House
4400 Parkway
Whiteley, Hampshire PO15 7FJ
GB

Domain name: REDSTATION.COM
Administrative Contact:
Admin, DNS admin@redstation.com
2 Frater Gate Business Park
Aerodrome Road
Gosport, Hampshire PO13 0GW
GB
+44.1329828224

Technical Contact:
Administrator, DNS admin@redstation.com
2 Frater Gate Business Park
Aerodrome Road
Gosport, Hampshire PO13 0GW
GB
+44.1329828224

Registration Service Provider:
Redstation Limited, admin@redstation.com
+44 1329 828224
http://www.redstation.com
Registrar of Record: TUCOWS, INC.
Record last updated on 12-Jun-2013

Record expires on 21-Sep-2020
Record created on 21-Sep-1999

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
DNS1.REDSTATION.CO.UK
DNS2.REDSTATION.CO.UK

Domain status: clientTransferProhibited

clientUpdateProhibited

Network Whois record
Queried whois.ripe.net with “-B 149.3.142.10″…

Information related to ‘149.3.142.8 – 149.3.142.11’

Abuse contact for ‘149.3.142.8 – 149.3.142.11’ is ‘abuse@redstation.com’

inetnum: 149.3.142.8 – 149.3.142.11

netname: REDSTATIONWEB
descr: Redstation Limited
descr: Web Server Network

country: GB
admin-c: RA1415-RIPE
tech-c: RA1415-RIPE
status: ASSIGNED PA
remarks: ABUSE REPORTS: abuse@redstation.com

mnt-by: REDSTATION-MNT
mnt-domains: REDSTATION-MNT
mnt-routes: REDSTATION-MNT

changed: ripe-admin@redstation.com 20110928
source: RIPE

role: Redstation Admin Role
address: Redstation Limited
address: 2 Frater Gate Business Park
address: Aerodrome Road
address: Gosport
address: Hampshire
address: PO13 0GW
address: UNITED KINGDOM

abuse-mailbox: abuse@redstation.com
e-mail: ripe-admin@redstation.com

admin-c: KMAC-RIPE
tech-c: PA5242-RIPE
nic-hdl: RA1415-RIPE
mnt-by: REDSTATION-MNT
changed: ripe-admin@redstation.com 20080625
source: RIPE

Information related to ‘149.3.140.0/22AS35662
route: 149.3.140.0/22

descr: FTIP002960302 Redstation Limited
origin: AS35662

mnt-by: REDSTATION-MNT
changed: kevinmcardle@redstation.com 20110725
source: RIPE

% This query was served by the RIPE Database Query Service version 1.66.3 (WHOIS3)

DNS records
name class type data time to live
http://www.redstation.com IN A 149.3.142.10 60s (00:01:00)
redstation.com IN A 149.3.142.10 60s (00:01:00)
redstation.com IN NS dns2.redstation.co.uk 60s (00:01:00)
redstation.com IN NS dns1.redstation.co.uk 60s (00:01:00)
redstation.com IN SOA

server: dns1.redstation.co.uk
email: admin@redstation.co.uk
serial: 158
refresh: 300
retry: 600
expire: 600
minimum ttl: 60
60s (00:01:00)
redstation.com IN MX
preference: 5
exchange: mail.redstation.com
60s (00:01:00)

redstation.com IN TXT v=spf1 ip4:80.84.48.0/23 a mx include:redstationmail.co.uk -all 60s (00:01:00)

10.142.3.149.in-addr.arpa IN PTR http://www.redstation.com 3600s (01:00:00)
142.3.149.in-addr.arpa IN SOA

server: dns3.redstation.co.uk
email: admin@redstation.co.uk

serial: 2007071361
refresh: 1200
retry: 600
expire: 1728000
minimum ttl: 3600
3600s (01:00:00)
142.3.149.in-addr.arpa IN RRSIG
type covered: NSEC (47)
algorithm: RSA/SHA-1 (5)
labels: 5
original ttl: 10800 (03:00:00)
signature expiration: 2013-06-24 20:00:12Z
signature inception: 2013-06-14 20:00:12Z
key tag: 3017
signer’s name: 149.in-addr.arpa
signature:
(1024 bits)

382516B2216BDE33D981DCEDA76B87DD
1974F44B93E982D05DE48AAE9F5C72F8
766283F9AE625E7F88073A23F55201BD
23BB04DF6B49F068A74F989095785E57
90C88856976CD6DC3E926624FF522AF4
4DD68AE7CF785FB5600F7C0B05273B2B
BBDDD9712CDB6AB79C74862B2044AF8E
306AF43B46176656953F00F1210E8C7D

10800s (03:00:00)
142.3.149.in-addr.arpa IN NSEC
next domain name: 143.3.149.in-addr.arpa
record types: NS RRSIG NSEC
10800s (03:00:00)
142.3.149.in-addr.arpa IN NS dns3.redstation.co.uk 3600s (01:00:00)
142.3.149.in-addr.arpa IN NS dns2.redstation.co.uk 3600s (01:00:00)

Traceroute
Tracing route to http://www.redstation.com [149.3.142.10]
hop rtt rtt rtt ip address fully qualified domain name
1 1 1 1 70.84.211.97 61.d3.5446.static.theplanet.com
2 1 0 0 70.87.254.5 po101.dsr02.dllstx5.networklayer.com
3 122 3 1 70.85.127.109 po52.dsr02.dllstx3.networklayer.com
4 0 0 0 173.192.18.230 ae17.bbr02.eq01.dal03.networklayer.com
5 20 20 20 173.192.18.135 ae1.bbr01.tl01.atl01.networklayer.com
6 33 33 33 173.192.18.152 ae0.bbr01.eq01.wdc02.networklayer.com
7 34 38 53 173.192.18.195 ae7.bbr02.eq01.wdc02.networklayer.com
8 113 113 113 50.97.18.215 ae0.bbr01.eq01.ams02.networklayer.com
9 189 222 211 195.69.147.48
10 114 114 114 109.200.17.234 34-17-200-109.rackcentre.redstation.net.uk
11 120 119 120 109.200.17.250 50-17-200-109.rackcentre.redstation.net.uk
12 114 114 114 149.3.142.10 http://www.redstation.com
Trace complete

— end —
Related Article:

Job Scams On Linked Is Accelerating

Scammers Promise Easy Money in Trolling for LinkedIn Users

By Antone Gonsalves, CSO
November 25, 2013 09:51 AM ET

Antone Gonsalves of NETWORKWORLD.COM and other IT Security experts are LinkedIn4reporting on a growing problem with job posted on LinkedIn.com.

Accordingly, scammers have moved operation onto LinkedIn.com platform big time. Below is an excerpt which suggest that these scams are increasing at an accelerating rate.

CSO – Scammers exploiting the weak job market are looking for hapless victims on LinkedIn, which has become a major meeting site for job seekers and recruiters.

[Security experts warn against using LinkedIn Intro app for Apple iPhone]

Over the last year, swindlers promising employment have been spreading from Facebook and Twitter to LinkedIn, where their fake profiles have been popping up as fast as the site is able to take them down, Bianca Stanescu, security specialist for anti-virus vendor Bitdfender, said Friday.

While job scams are regularly found on Facebook, LinkedIn was considered less susceptible because of its professional clientele, Stanescu said. However, it seems that a LinkedIn profile with a picture of a pretty woman posing as a job recruiter and promising easy money is too hard for people, particularly men, to resist.

“It’s especially enticing for men to click on these ads to work with such beautiful human resource managers likes Christina and Annabelle,” Stanescu said. “We also found someone named Jessica.”

In a recent scam reported by Bitdefender, “Annabelle Erica,” a good-looking blonde, promised to put job applicants in touch with hundreds of companies looking for English translators.

Read More…..

WhoIs ~ www1.clicksensational.com

A threat to the Global Internet Infrastructure
Money Mule eco-system 1

Money Mule eco-system 2

190.120.229.99

www1.clicksensational.com

Announced By
Origin AS Announcement Description
AS26272 190.120.224.0/20 Infolink Panama Corp
AS26272 190.120.228.0/22 Infolink Panama Corp

Address has 29 hosts associated with it.

https://route.robtex.com/190.120.229.0-24.html#netmap

190.120.229.0/24

We have 206 A records and 119 PTR records in this network. Six percent of the A records have corresponding PTR records and ten percent of the PTR records have corresponding A records.

Network Map – Network

 

IANA-BLK The whole IPv4 address space

admin-c: IANA1-AFRINIC
country: EU # Country is really world wide
descr: The whole IPv4 address space
inetnum: 0.0.0.0 – 255.255.255.255
mnt-by: AFRINIC-HM-MNT
mnt-lower: AFRINIC-HM-MNT
netname: IANA-BLK
org: ORG-IANA1-AFRINIC
remarks: The country is really worldwide.
This address space is assigned at various other places in
the world and might therefore not be in the RIPE database.
data has been transferred from RIPE Whois Database 20050221
source: AFRINIC # Filtered
status: ALLOCATED UNSPECIFIED
tech-c: IANA1-AFRINIC

BGP announced by

 

128.0.0.0/2

BGP announced by

190.120.224.0/20 Infolink_190-120-224-0-BLOCK

BGP announced by

Registered route from

Location Panama

190.120.228.0/22

Network

PA-IPCO3-LACNIC Infolink Panama Corp.

abuse-c: MIA17
address: APDO 0832-2745, –, Suite 152, World Trade C
0832-2745 – Panama – PA
changed: 20120321
country: PA
created: 20120321
inetnum: 190.120.228/22
inetnum-up: 190.120.224/20
inetrev: 190.120.228/22
nserver: NS3.FORTATRUST.COM
nslastaa: 20130727
nsstat: 20130727 AA
owner: Infolink Panama Corp.
owner-c: MIA17
ownerid: PA-IPCO3-LACNIC
phone: +507 3176046 []
responsible: Miguel Abood
status: reallocated
tech-c: MIA17

BGP announced by

Graph   Sites
IP Type Hostname
190.120.229.0 PTR mta24.wilinkmail3.net
190.120.229.1 PTR mta25.wilinkmail3.net
190.120.229.2 PTR server01.caffoartes.com.br
A webb.net.br
190.120.229.4 PTR mail.shivas01.co.cc
190.120.229.5 A besttabs-solution.com
edtabs-selection.com
perfect-onlinepharmacy.com
reliable-tablets.com
rxtabs-online.com
safe-edpills.com
trustedtablets-online.com
ultimate-pill-store.com
your-excellent-tablets.com
your-perfect-generics.com
ns1.extendedlv.com
*.trustedtablets-online.com
www.trustedtablets-online.com
190.120.229.6 PTR mail10.emktprime.com.br
190.120.229.8 PTR mail3.propaganews.com.br
190.120.229.9 PTR mail4.propaganews.com.br
190.120.229.10 PTR mail5.propaganews.com.br
190.120.229.11 A+PTR mail6.propaganews.com.br
190.120.229.12 PTR mail7.propaganews.com.br
190.120.229.13 PTR mail8.propaganews.com.br
190.120.229.16 A+PTR apcprofession.com
A jeunes-femmes-sexe.com
190.120.229.42 A femme-enculee-profond.com
190.120.229.43 PTR mail9.propaganews.com.br
A belle-gothique.com
esposa-follada-profunda.com
190.120.229.44 PTR mail10.propaganews.com.br
A cazzo-nel-culo.com
cock-in-ass.com
cock-in-the-ass.com
kogut-w-dupe.com
ns2.jorpoint.com
190.120.229.45 PTR mail11.propaganews.com.br
190.120.229.49 PTR dealsnoticedaily.com.229.120.190.in-addr.arpa
190.120.229.51 PTR dealsparktoday.com
190.120.229.52 A jetstar-airlines.com
190.120.229.56 A ns2.kikbac.com
190.120.229.61 PTR great-dating-specials.com
A azureapple.info
190.120.229.64 A+PTR shell.networkjunkies.com
190.120.229.65 PTR mail13.propaganews.com.br
190.120.229.67 PTR mktdescontos.com.br
190.120.229.68 A mail.offwhite.net
190.120.229.70 PTR smail01.textlandiamanager.com
190.120.229.71 PTR app.networksexperts.com
190.120.229.74 PTR serv74.mktdescontos.com.br
190.120.229.75 A+PTR juanin.com
190.120.229.77 A+PTR ntkernel.com
A ntndis.com
*.ntkernel.com
mail.ntkernel.com
190.120.229.78 PTR serv78.mktdescontos.com.br
190.120.229.79 PTR ns1877.hospedagemdesites.net.br
190.120.229.80 PTR www2.rewardsshere4u.com
A foreclosureangelfoundation.com
www.foreclosureangelfoundation.com
190.120.229.81 PTR pty13186.webhost10.net
190.120.229.82 PTR www.prizeshere4u.com
190.120.229.83 PTR www1.prizeshere4u.com
190.120.229.84 PTR rev1.webhost10.net
190.120.229.85 A+PTR rev2.webhost10.net
190.120.229.86 A+PTR rev3.webhost10.net
190.120.229.87 A+PTR rev4.webhost10.net
190.120.229.88 PTR mail14.propaganews.com.br
190.120.229.89 A link-building-guide.com
freakasaur.us
190.120.229.90 PTR www2.linkhere4u.com
190.120.229.91 PTR www3.linkhere4u.com
190.120.229.92 PTR www.gohere4u.com
190.120.229.93 A+PTR mail.talemail.net
A talemail.net
190.120.229.94 PTR netvalueorbiter.com
190.120.229.95 PTR mail6.marktbrasil.com.br
190.120.229.96 PTR mail11.emktprime.com.br
190.120.229.97 PTR mail7.marktbrasil.com.br
A gohonline.net
190.120.229.98 PTR www.clicksensational.com
190.120.229.99 PTR www1.clicksensational.com
A beyond-atlantis.biz
freelancersltd.biz
fundstransferalliance.biz
accounting-plus-uk.com
andromeda-uk.com
business-solution-partnerltd.com
dynamite-solutions.com
fin-advice-centre.com
accounting-plus-ltd.org
andromeda-ltd.org
bestsolutions-usa.org
business-solutionpartner-ltd.org
consult-compass-us.org
fundstransferalliance-us.org
galaxy-software-sol.org
holdings-solution.org
190.120.229.100 PTR www2.clicksensational.com
190.120.229.101 PTR mail17.propaganews.com.br
A galaxy-software-sol.cc
best-n-saveltd.com
bmc-outsourcing-inc.com
business-sol-spec.com
careerbestltd.com
corpdenhouse.com
financedrive-uk.com
freelancersltd.com
inc-londonltd.com
ramejkis.com
business-solution-spec.net
financial-advice-cen.net
financedrive-ltd.org
190.120.229.102 PTR serv102.mktdescontos.com.br
190.120.229.103 A asap-us.biz
bestsolutions-usa.biz
consult-compass-ltd.biz
biz-software.cc
infoace-ltd.com
dynamitesolutions-ltd.net
asap-us.org
beyond-atlantis-ltd.org
biz-software.org
careerbestltd.org
denhouseltd.org
incorp-london-ltd.org
incorplondonltd.org
190.120.229.104 PTR f1.servbb.com
190.120.229.106 PTR f2.servbb.com
A buffspiral.info
190.120.229.107 PTR mail3.emktprime.com.br
A coralrope.info
190.120.229.108 PTR mail4.emktprime.com.br
A forestroof.info
190.120.229.109 A+PTR f3.servbb.com
A forkspice.info
ns1.dattellix.net.ve
190.120.229.110 PTR mail5.emktprime.com.br
A gamemagnet.info
190.120.229.111 PTR www3.4utogohere.com
A rateyourcrack.com
rateyourrack.com
rateyourrear.com
rateyourrod.com
rateyoursex.com
rateyourtat.com
you-are-the-boss.com
rategateway.net
rateyourpiercing.net
rateyourrack.net
new.rateyourrack.com
www.rateyourrack.com
www.rateyourrod.com
www.rateyoursex.com
www.you-are-the-boss.com
pics.rategateway.net
190.120.229.112 PTR nosy.topdeliverysite.com
A pubtronic.com
pubtronic.net
190.120.229.113 PTR big.topdeliverysite.com
190.120.229.114 PTR angry.topdeliverysite.com
190.120.229.115 PTR cuddly.topdeliverysite.com
190.120.229.116 PTR naughty.topdeliverysite.com
190.120.229.118 PTR www.greatersuperdeals.com
190.120.229.119 PTR www1.greatersuperdeals.com
190.120.229.120 PTR www2.greatersuperdeals.com
190.120.229.121 PTR f4.servbb.com
A gehadel.com
190.120.229.122 PTR www.suprduproffer.com
190.120.229.123 PTR f5.servbb.com
190.120.229.124 A+PTR backup0.ontolo.com
190.120.229.125 PTR www3.suprduproffer.com
190.120.229.126 PTR api0.ontolo.com
190.120.229.128 PTR mail28.propaganews.com.br
190.120.229.132 PTR mail29.propaganews.com.br
190.120.229.135 PTR smail01.mobiletoolsuite.com
190.120.229.136 PTR smail52.trumpia.com
190.120.229.137 PTR ip137.soapvalues.com
190.120.229.138 PTR crunchbox1.ontolo.com
190.120.229.139 PTR mail30.propaganews.com.br
190.120.229.140 PTR host.ebillboardsinc.com
190.120.229.142 PTR smail01.mobilemarketiser.com
190.120.229.145 PTR smail35.trumpia.com
190.120.229.146 PTR www.radiodancefloor.it
190.120.229.148 A+PTR foxienet.com
190.120.229.150 A airhighnews.com
murraystore.com
promerta.com
acceddeal.info
acresfriends.info
auraraw.info
barticoupon.info
blenddeals.info
cattretail.info
cheuri.info
coneyfriends.info
crassrewards.info
culpaonline.info
cyproj.info
datedcenter.info
dunnics.info
ethicawards.info
ezgovplace.info
forteawards.info
galagiftcard.info
hazelprizes.info
hidenews.info
latersports.info
loadsinstitute.info
mayorcard.info
medalday.info
pegascoupon.info
perkyawards.info
phoenixtable.info
pottycard.info
proawards.info
quiretail.info
reelcentre.info
rivalinstitute.info
saxonawards.info
seedynews.info
shitgifts.info
redconsumers.org
straithost.org
190.120.229.151 PTR mail31.propaganews.com.br
A daveschultheis.com
frevycnulqe.com
hearthfund.org
190.120.229.152 PTR mail30.propaganews.com.br
A mail.caprxpharmacy.ru
190.120.229.153 PTR mail33.propaganews.com.br
190.120.229.154 PTR mail34.propaganews.com.br
190.120.229.155 A wearysloth.com
mail.aveleyman.com
www.aveleyman.com
190.120.229.159 PTR serv159.mktdescontos.com.br
A consolacionsda.org
190.120.229.162 A roidspharma.com
190.120.229.163 PTR crunchbox0.ontolo.com
190.120.229.164 A 656.cc
190.120.229.166 A venustv.com
*.venustv.com
com.venustv.com
ns1.venustv.com
ns2.venustv.com
root.venustv.com
ww.venustv.com
www.venustv.com
*.com.venustv.com
venustv.com.venustv.com
2242112411142222222.189.9155.in-addr.arpa
*.venustv.com.venustv.com
ns1.venustv.com.venustv.com
ns2.venustv.com.venustv.com
190.120.229.167 A moncler-doudoune-online.com
190.120.229.168 A b-p.md
190.120.229.185 PTR one.hitkill.com
190.120.229.186 PTR mail33.propaganews.com.br
mail61.server3wilink.com.br
190.120.229.187 PTR ip187.soapvalues.com
190.120.229.188 PTR ip188.soapvalues.com
190.120.229.190 A brucegaster.com
190.120.229.196 PTR sp-host3.redseal.net
190.120.229.204 PTR 204-229-120-190.aytta.com
190.120.229.207 A disarq.com
*.disarq.com
ns.disarq.com
nsbackup.disarq.com
190.120.229.208 PTR rocktopia.co.uk
A transistor.ltd.uk
ns1.transistor.ltd.uk
190.120.229.209 A ns2.transistor.ltd.uk
190.120.229.212 PTR emporioborgesbebidas.com.br
A ns3.nascomhosting.com.br
190.120.229.216 PTR serv216.mktdescontos.com.br
190.120.229.224 A asiatique-salope-nue.com
190.120.229.225 PTR us.athos.ro
190.120.229.229 PTR nascomhosting.com.br
A w8motors.com
mail.nascom.com.br
mail.nascomhosting.com.br
190.120.229.230 PTR nascomhosting.com.br
190.120.229.231 PTR dealstartertoday.com
190.120.229.232 PTR ultradailydeals.com
190.120.229.233 PTR dailydeals2you.com
190.120.229.234 A cecibubble.com
190.120.229.235 PTR depressed.makehostingsimple.com
190.120.229.236 PTR serv236.mktdescontos.com.br
190.120.229.237 PTR dirty.makehostingsimple.com
190.120.229.238 PTR envious.makehostingsimple.com
190.120.229.239 PTR two.hitkill.com
190.120.229.240 PTR naughty.makehostingsimple.com
A casting-porno-auvergne.com
chattes-rasee.com
enculer-une-femme.com
femme-gothique-sexe.com
foder-uma-mulher.com
fuck-woman-ass.com
190.120.229.241 PTR breezy.makehostingsimple.com
190.120.229.242 PTR spotty.makehostingsimple.com
190.120.229.243 PTR frightened.makehostingsimple.com
190.120.229.244 A+PTR rocktopia.co.uk
A ns1.rocktopia.co.uk
www.rocktopia.co.uk
190.120.229.245 PTR rocktopia.co.uk
A rocktopia.net
www.rocktopia.net
ns2.rocktopia.co.uk
190.120.229.246 PTR host6.supersenderbr.com
190.120.229.247 PTR host5.supersenderbr.com
190.120.229.255 PTR mail6.enviodigital1.info

The Netherlands Dismantled Cyber Ring

The Hague, the Netherlands
13 February 2013

Spanish Police, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled the largest and most complex cybercrime network dedicated to spreading police ransomware. It is estimated that the criminals affected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year.

Operation Ransom resulted in 11 arrests – the first was a 27-year-old Russian, responsible for the creation, development and international distribution of the various versions of the malware. He was arrested in the United Arab Emirates and is currently awaiting extradition to Spain. Furthermore, one of the criminal network’s largest financial cells in the Costa del Sol was dismantled. Spanish Police also arrested another 10 individuals linked to the financial cell: six Russians, two Ukrainians and two Georgians.

Six premises were searched in the province of Málaga, where IT equipment used for the criminal activities was confiscated. In addition, investigators seized credit cards used to cash out the money that victims paid via Ukash, Paysafecard and MoneyPak vouchers, as well as around 200 credit cards which were used to withdraw €26 000 in cash prior to the arrests.

The financial cell of the network specialised in laundering the proceeds of their crimes, obtained in the form of electronic money. For this, the gang employed both virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways or virtual coins. They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centres ensured the funds arrived at their final destination in Russia.

Police ransomware is a type of malware that blocks the computer, accusing the victims of having visited illegal websites containing child abuse material or file sharing, and requests the payment of fine to unblock it. By dressing the ransomware up to look as if it comes from a law enforcement agency, cybercriminals convince the victim to pay the ‘fine’ of €100 through two types of payment gateways – virtual and anonymous – as a penalty for the alleged offence. The criminals then go on to steal data and information from the victim’s computer. Since the virus was detected in May 2011, there have been more than 1200 reported cases just in Spain, and the number of victims could be much higher.

Operation Ransom was led by the Spanish Police (Technological Investigation Squad of the Central UDEF, part of the General Commissariat of the Judicial Police, with the cooperation of the Provincial Police Station and the GOES from Costa del Sol -SPANISH NATIONAL POLICE-.) and coordinated by Europol and Interpol. Other crucial partners included Eurojust, the attachés of the Ministry of Interior of the Spanish Embassy in Moscow and the Spanish Embassy in the UAE.

For advice on how to prevent becoming a victim of police ransomware, please read our

Tips & advice to prevent police ransomware infecting your computer brochure.

https://www.europol.europa.eu/content/police-dismantle-prolific-ransomware-cybercriminal-network