“FudCo” Spam Empire Tied to Pakistani Software program Agency – Krebs on Safety

“FudCo” Spam Empire Tied to Pakistani Software Firm – Krebs on Security

In Could 2015, KrebsOnSecurity briefly profiledThe Manipulaters,” the identify chosen by a prolific cybercrime group based mostly in Pakistan that was very publicly promoting spam instruments and a spread of companies for crafting, internet hosting and deploying malicious e mail. Six years later, a assessment of the social media postings from this group reveals they’re prospering, whereas slightly poorly hiding their actions behind a software program improvement agency in Lahore that has secretly enabled a whole technology of spammers and scammers.

The Web page in 2015 for the “Manipulaters Crew,” a gaggle of Pakistani hackers behind the darkish internet identification “Saim Raza,” who sells spam and malware instruments and companies.

The Manipulaters’ core model within the underground is a shared cybercriminal identification named “Saim Raza,” who for the previous decade throughout dozens of cybercrime websites and boards has peddled a well-liked spamming and phishing service variously known as “Fudtools,” “Fudpage,” “Fudsender,” and many others.

The frequent acronym in practically all of Saim Raza’s domains over time — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime assets that can evade detection by safety instruments like antivirus software program or anti-spam home equipment.

Certainly one of a number of present Fudtools websites run by The Manipulaters.

The present web site for Saim Raza’s Fud Instruments (above) provides phishing templates or “rip-off pages” for quite a lot of in style on-line websites like Office365 and Dropbox. In addition they promote “Doc Exploit” merchandise that bundle malicious software program with innocuous Microsoft Workplace paperwork; “scampage internet hosting” for phishing websites; quite a lot of spam blasting instruments like HeartSender; and software program designed to assist spammers route their malicious e mail by compromised websites, accounts and companies within the cloud.

For years main as much as 2015, “admin@manipulaters.com” was the identify on the registration information for 1000’s of rip-off domains that spoofed among the world’s prime banks and model names, however significantly Apple and Microsoft. When confronted about this, The Manipulaters founder Madih-ullah Riaz replied, “We don’t intentionally host or enable any phishing or every other abusive web site. Relating to phishing, at any time when we obtain grievance, we take away the companies instantly. Additionally we’re working enterprise since 2006.”

The IT community of The Manipulaters, circa 2013. Picture: Fb

Two years later, KrebsOnSecurity obtained an e mail from Riaz asking to have his identify and that of his enterprise associate faraway from the 2015 story, saying it had damage his firm’s capacity to keep up steady internet hosting for his or her steady of domains.

“We run internet hosting enterprise and on account of your submit we obtained very severe issues particularly no information middle was accepting us,” Riaz wrote in a Could 2017 e mail. “I can see you submit on exhausting time criminals we aren’t criminals, a minimum of it was not in our data.”

Riaz mentioned the issue was his firm’s billing system erroneously used The Manipulators’ identify and get in touch with info as an alternative of its purchasers in WHOIS registration information. That oversight, he mentioned, prompted many researchers to erroneously attribute to them exercise that was coming from just some dangerous prospects.

“We work exhausting to earn cash and it’s my request, 2 years of my identify in your great article is sufficient punishment and we discovered from our errors,” he concluded.

The Manipulaters have certainly discovered just a few new tips, however protecting their underground operations air-gapped from their real-life identities is mercifully not one in all them.


Phishing domains registered to The Manipulaters included an handle in Karachi, with the cellphone quantity 923218912562. That very same cellphone quantity is shared within the WHOIS information for 4,000+ domains registered by domainprovider[.]work, a site managed by The Manipulaters that seems to be a reseller of one other area identify supplier.

Certainly one of Saim Raza’s many adverts within the cybercrime underground for his Fudtools service promotes the area fudpage[.]com, and the WHOIS information for that area share the identical Karachi cellphone quantity. Fudpage’s WHOIS information listing the contact as “admin@apexgrand.com,” which is one other e mail handle utilized by The Manipulaters to register domains.

As I famous in 2015, The Manipulaters Crew used area identify service (DNS) settings from one other blatantly fraudulent service known as ‘FreshSpamTools[.]eu,’ which was provided by a fellow Pakistani who additionally conveniently bought phishing toolkits concentrating on a variety of huge banks.

The WHOIS information for FreshSpamTools briefly listing the e-mail handle bilal.waddaich@gmail.com, which corresponds to the e-mail handle for a Fb account of a Bilal “Sunny” Ahmad Warraich (a.okay.a. Bilal Waddaich).

Bilal Waddaich’s present Fb profile photograph consists of many present and former workers of We Code Options.

Warraich’s Fb profile says he works as an IT help specialist at a software program improvement firm in Lahore known as We Code Options.

The We Code Options web site.

A assessment of the internet hosting information for the corporate’s web site wecodesolutions[.]pk present that over the previous three years it has shared a server with only a handful of different domains, together with:



The profile picture atop Warraich’s Fb web page is a gaggle photograph of present and former We Code Options workers. Helpfully, most of the faces in that photograph have been tagged and related to their respective Fb profiles.

For instance, the Fb profile of Burhan Ul Haq, a.okay.a. “Burhan Shaxx” says he works in human relations and IT help for We Code Options. Scanning by Ul Haq’s limitless selfies on Fb, it’s unattainable to disregard a collection of images that includes varied birthday muffins and the phrases “Fud Co” written in icing on prime.

Burhan Ul Haq’s images present many Fud Co-themed muffins the We Code Options workers loved on the anniversary of the Manipulaters Crew.

Sure, from a assessment of the Fb postings of We Code Options workers, it seems that for a minimum of the final 5 years this group has celebrated an anniversary each Could with a Fud Co cake, non-alcoholic glowing wine, and a Fud Co celebration or group dinner. Let’s take a better take a look at that scrumptious cake:

The pinnacle of We Code Options seems to be a man named Rameez Shahzad, the older particular person on the middle of the group photograph in Warraich’s Fb profile. You possibly can inform Shahzad is the boss as a result of he’s on the middle of nearly each group photograph he and different We Code Options workers posted to their respective Fb pages.

We Code Options boss Rameez Shahzad (in sun shades) is within the middle of this group photograph, which was posted by worker Burhan Ul Haq, pictured simply to the suitable of Shahzad.

Shahzad’s postings on Fb are much more revelatory: On Aug. 3, 2018, he posted a screenshot of somebody logged into a web site underneath the username Saim Raza — the identical identification that’s been pimping Fud Co spam instruments for near a decade now.

“After [a] very long time, Mailwizz prepared,” Shahzad wrote as a caption to the photograph:

We Code Options boss Rameez Shahzad posted on Fb a screenshot of somebody logged right into a WordPress website with the username Saim Raza, the identical cybercriminal identification that has peddled the FudTools spam empire for greater than 10 years.

Whoever managed the Saim Raza cybercriminal identification had a penchant for re-using the identical password (“lovertears”) throughout dozens of Saim Raza e mail addresses. Certainly one of Saim Raza’s favourite e mail handle variations was “sport.changer@[pick ISP here]”. One other e mail handle marketed by Saim Raza was “bluebtcus@gmail.com.”

So it was not stunning to see Rameez Shahzad submit a screenshot to his Fb account of his pc desktop, which reveals he’s logged right into a Skype account that begins with the identify “sport.” and a Gmail account starting with “bluebtc.”

Picture: Scylla Intel

KrebsOnSecurity tried to succeed in We Code Options by way of the contact e mail handle on its web site — information@wecodesolutions[.]pk — however the message bounced again, saying there was no such handle. Equally, a name to the Lahore cellphone quantity listed on the web site produced an automatic message saying the quantity will not be in service. Not one of the We Code Options workers contacted straight by way of e mail or cellphone responded to requests for remark.


This open-source analysis on The Manipulaters and We Code Options is damning sufficient. However the true icing on the Fud Co cake is that someday in 2019, The Manipulaters didn’t renew their core area identify — manipulaters[.]com — the identical one tied to so most of the firm’s previous and present enterprise operations.

That area was rapidly scooped up by Scylla Intel, a cyber intelligence agency that makes a speciality of connecting cybercriminals to their real-life identities. Whoops.

Scylla co-founder Sasha Angus mentioned the messages that flooded their inbox as soon as they arrange an e mail server on that area rapidly crammed in most of the particulars they didn’t have already got about The Manipulaters.

“We all know the principals, their precise identities, the place they’re, the place they hang around,” Angus mentioned. “I’d say we now have a number of thousand reveals that we might put into proof doubtlessly. We’ve got them six methods to Sunday as being the blokes behind this Saim Raza spammer identification on the boards.”

Angus mentioned he and a fellow researcher briefed U.S. prosecutors in 2019 about their findings on The Manipulaters, and that investigators expressed curiosity but in addition appeared overwhelmed by the amount of proof that may must be collected and preserved about this group’s actions.

“I believe one of many issues the investigators discovered difficult about this case was not who did what, however simply how a lot dangerous stuff they’ve completed over time,” Angus mentioned. “With these guys, you retain taking place this rabbit gap that by no means ends as a result of there’s all the time extra, and it’s pretty astonishing. They’re prolific. If they’d midway respectable operational safety, they may have been actually profitable. However fortunately, they don’t.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts