May 28, 2015

Cybercriminals who specialize in phishing — or tricking people into giving up usernames and passwords at fake bank and ecommerce sites — aren’t generally considered the most sophisticated crooks, but occasionally they do exhibit creativity and chutzpah. That’s most definitely the case with a phishing gang that calls itself the “Manipulaters Team”, whose Web site boasts that it specializes in brand research and development.

I first learned about the Manipulaters from a source at an Australian bank who clued me in to a phishing group that specializes in targeting Apple’s iCloud services and a whole mess of U.S., European and Asian banks. For whatever reason (probably because they’re proud of their work), these guys leave a calling card of sorts in the WHOIS Web site registration records for most of the phishing domains that they register: According to Domaintools.com, some 329 domains are registered to “admin@manipulaters[dot]com” (complete list of domains: in PDF and CSV).

The Web site for the "Manipulaters Team," a phishing gang that brazenly advertises a specialization in "brand research."

The Web site for the “Manipulaters Team,” a phishing gang that brazenly advertises a specialization in “brand research.”

Manipulaters[dot]com is a pretty amusing site all around. Their home page advises that Mainpulaters “is an institute that caters to brand research & development. We have studied computer related products immensely, and are confident that we can get the job done. The learning never stops for us though, as we are always looking for ways to improve.” Brand research. Yeah, right.

“Our goal is to help each business and brand reach their ultimate potential,” explains the “Our Members” section of the site. “We have contracts with our members that allows us to have guidelines for them to follow on their path to success. We have put these in place for a reason. This provides the stability and direction that companies/brands need to succeed.” Points for brazenness.

Their site advises that interested parties can “become a member” of the Manipulaters Team just by paying a one-time membership fee of $15, and providing a driver’s license/ID card plus a phone or electricity bill. Ah, there’s nothing quite like phishers phishing phishers.

The scary aspect of this fraud gang is that they appear to play in the Web hosting space as well. Most of their phishing pages are in fact hosted on Internet address space that is assigned to Manipulaters[dot]com: Incredibly, the group is listed as the current occupants of an entire Class C range of Internet addresses, from 167.160.46.0 to 167.160.46.255.

One common name across most of the online properties erected by the Manipulators Team is Madih-ullah Riaz, a resident of Pakistan who appears to manage this Manipulaters out of a high-rise apartment building in Karachi. Interestingly, Riaz’s email address — madihrb@hotmail.com — was among those listed as a user of BestRecovery, a phishing and malware deployment service whose user database was hacked last year. Mr. Riaz did not respond to requests for comment.

Mr. Riaz is listed as the founding member on the “About Us” page of the Manipulaters Team, along with a guy named Omer Fareed. Both men also are listed as founders of a software company called Posting Kit, which is a company included in the job history on Riaz’s LinkedIn profile.

The Manipulaters Team likes to use domain name service (DNS) settings from another blatantly fraudulent service called “FreshSpamTools[dot]eu”, a scammer-friendly service offered by a fellow Pakistani that also conveniently sells phishing toolkits targeting a number of popular brands. Manipulators indeed.


31 thoughts on “Phishing Gang is Audacious Manipulator

  1. Rich Williams

    Brian … I presume that, since they say:

    “…membership fee of $15, and providing a driver’s license/ID card plus a phone or electricity bill…”

    that they’re bright enough to know that they’ll receive falsified driver id’s and electric bills.

    1. Cody Wood

      This is typical in many relatively organized crime circles. It’s seen on TV a lot and is actually true in a way. Turning over stolen credentials for verification ensures that the buyer is either directly involved in identity theft or forgery operations. As seen on tv “hey do this line of coke so we know your not a cop…”

      1. Undo

        Interesting, I hadn’t been aware of that. But while I can see it weeding out rank amateurs, unlike the do-this-line example it obviously wouldn’t weed out law enforcement, who would have no trouble getting fake ID documents.

  2. Karen Bannan

    Would be an interesting blog if you were able to interview one of the manipulators and give us a little more info about their end goals!

    –KB

    Karen J. Bannan, commenting on behalf of IDG and FireEye.

  3. Bob

    When I read just the title of this post, I thought it was about a company that specialized in spear phishing attacks for a fee. If I wanted the credentials to the CFO’s account at XYZ company, the manipulators would, for an appropriate number of bitcoins, launch a spear phishing attack against the CFO of XYZ, and give me the credentials for the compromised account.

    1. Jeff

      Don’t give them any ideas. That’s probably going to be their next endeavor.

  4. anonymous reaver

    if you need more exhaustive security net vulnerability isues, please visit cve-mitre.org

    1. SoyTenely

      Why are you posting a domain that is for sale; it isn’t even parked.

      1. qka

        Look again folks!!!!

        That’s cve-mitre.org vs. cve.mitre.org

        A common scammer trick.

    2. Chris

      cve.mitre.org is the real site of course, yeah it’s odd they would post that. It is indeed for sale. I might buy it out of curiosity as to why someone would post that randomly. Huh.

      1. Chris

        I just registered that domain. I e-mailed the mitre folks to let them know. I’m curious as to the traffic I will see. It redirects to my main page at the moment.

  5. Michael Iger

    Sounds like they are holding out to be on 60 Minutes or Dateline.

  6. meh

    How are they any more phony than the credit bureaus?

    1. IA Eng

      HA ! I think its simple. The people have been brainwashed that the credit bureaus are good for them. They now have the nod of approval that they are needed – in some form or another.

      Its only a matter of time before these crooks either get the nod of approval as something thats new and shiny that people must have, or the nod of the prison guard who takes roll call just before bedtime with bubba.

      What happens first, and in what order or direction – we will just have to see how far they go.

      As for the website. I am sure it can be stood up within a day or two, with nicely polished words and catch phrases. They may do some nefarious things, but on the scale of things, where do these internet hacking hobos stand in a long line of wanna be nostalgic hackers?

  7. NotME

    My favorite domain they have is wellsfrgoinfo.com, Thanks for the list Brian, so easy to import it into the barracuda although I suspect some parts of it are already there.

    Easy to block off the class c as well, I hope they enjoy wasting time trying to use these now that we know who they are.

  8. Some Aussie

    Some new ones to add to your list:

    alibayair.com
    bankofcyprusonline.com
    bendigoebank.com
    brainstomerz.com
    hlbconnect.com
    royaloilandgasuk.com

  9. John Smith

    There appears to be at least 175 domains sitting on this box.
    http://whois.domaintools.com/176.9.17.171

    > Resolve Host server.manipulaters.com
    > Reverse IP 175 websites use this address.

    Not all their domains are hosted within the /24 they own. It might be wise to block everything coming from a box on *.manipulaters.com

  10. Jett

    I really think this is the same gang that was targeting Facebook a while back with phishing scams. Not too long ago I was getting strange Facebook chat requests in the middle of the night from what appeared to be one of my Facebook friends. The chats were strange, but quite convincing at first…they would say something like, “hey are you there? I really need to talk to you about something.” Then I would proceed to say “what’s up?” and that is when the “click here to check out this new service that keeps you safe on Facebook!” or another one was “I just won a new ipad and they are still giving ten away yadda yadda” So I did some investigating of my own, and some of the domains you listed on that PDF Brian are some of the actual domains I crawled via Web Scarab and found correlations between several phishing and scamming sites. Interesting read.

  11. Buddha Chris

    Another scary aspect I thought about as I read this is why not as a Phisher simple setup a semi-legit business front and instead sending out phishing emails simply appear as a legit business with enough real world references, credibility and social media references that people will trust you and actually freely give you their PII.

    One interesting question is what is a good methodology for validating web based businesses to ensure they are legit. All one needs to do these days is establish a web-of-trust on the internet much like a high ranked Google search result and I would bet many people would give you their credit card and PII.

    Perhaps a web registry of known trusted web businesses would make sense.

    At the end of the day lack of law enforcement in countries outside the US is a huge contributor to Cybercrime.

    1. peter

      Lack of law enforcement outside the US of Agression???? ROFL Our rate of criminality is just one thenth of yours so we don’t need to spend fortunes on police, who in the USA’s case mainly kills innocent citizens, becomes a criminal itself and gets away with it, what a kind of law enforcement. We sent criminals and religion fanatics overseas a few hundred years ago and look what that bred: criminal religion fanatics and religion fanatic criminals. Take some time away from the keyboard and get to know the real world

  12. Ed Bachner

    I just found out MET 5.2 is available.
    Comments?

    1. timeless

      EMET 5.2:
      http://blogs.technet.com/b/srd/archive/2015/03/12/emet-5-2-is-available.aspx

      3/16/2015 UPDATE: We have received reports of certain customers experiencing issues with EMET 5.2 in conjunction with Internet Explorer 11 on Windows 8.1. We recommend customers that downloaded EMET 5.2 before March 16th, 2015 to download it again via the link below, and to uninstall the previous EMET 5.2 before installing the new one.

  13. Anonymous

    6 of the domain addresses in that list contain ‘btc’, including paytobtc[dot]com.

    Also the FB hyperlink in ‘Omer Fareed’ no longer works, so I’m guessing he’s read the article!

  14. Andy Judd

    Just to let you know your book is NOW published in the UK. It’s been a long wait.

  15. Andy Judd

    Just to let you know your book has finally been published in the UK. It’s a good read.

  16. Mike

    Technology is replete with manipulation. In spite of all the personalization, customization, and specialization that can be achieved through and with computers; there is still an extremely high degree of people doing exactly what they are told to do and nothing else.

    In all fairness, the same thing happens in other areas of life. Marriage, finances, politics, education, cars, houses, and climbing the company ladder. It seems to be a cookie cutter world with little difference between slaves.

    Somebody once said that membership has its privileges. Maybe it does, but it will never provide any level of common sense, logic, or opportunity at enough freedom to rise above manipulation.

  17. patti

    So… IP registrars no longer discriminate between good and bad? When did that change happen?

    1. Ian McKenzie

      I was wondering the same thing. Curious to know if they hijacked any of that address space as spammers have been known to do.

Comments are closed.