Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 21 November 2008

AsProx: The Phisher King?

Posted on 14:00 by Unknown
The most spammed phish on the planet took a brief respite after the McColo network was shut down, but the Phisher King is back again.

We see as many as ten thousand reports per day and more of the Asprox spammed phish, and sadly this has been going on non-stop for as long as we can remember, with the brief exception of last week.

The typical scenario is that ten domain names are chosen and used to spam URLs which contain a high degree of randomization. Abbey Bank has been their favorite target for nearly all of 2008. The first "word" of the URL is followed by a number, then the brand name, then a random string, and then the domain name. The path portion of the URL is consistent for each brand currently spammed. Following the path there is a question mark, and then what seems like random characters, but which actually can be decoded into the email address of the person who received the spam. (We'll leave the encoded email address portion off in our examples).

The "Abbey" path for some time has been "/CentralLogonWeb/Confirm?"



The current "Associated Bank" path is "/web_bank/confirm.asp?"



http://myonlineaccounts0.abbey.co.uk.html650963.input2.cc/CentralLogonWeb/Confirm?srvid=
http://myonlineaccounts0.abbey.co.uk.http60319982.code11.ca/CentralLogonWeb/Confirm?update=
http://myonlineaccounts1.abbey.co.uk.doc618591.root71.ws/CentralLogonWeb/Confirm?confirm=
http://myonlineaccounts1.abbey.co.uk.fast35837924.3update.eu/CentralLogonWeb/Confirm?file=
http://myonlineaccounts2.abbeynational.co.uk.browse9701521.sslweb5.bz/CentralLogonWeb/Confirm?version=
http://myonlineaccounts2.abbey-national.co.uk.comm2053275.code11.ca/CentralLogonWeb/Confirm?service=
http://myonlineaccounts2.abbey-national.co.uk.control790833.3update.eu/CentralLogonWeb/Confirm?cipher=
http://myonlineaccounts2.abbeynational.co.uk.err9962057184.5version.mobi/CentralLogonWeb/Confirm?debug=
http://ww2.abbeynational.com.server3610179.input2.cc/CentralLogonWeb/Confirm?bin=
http://ww2.abbeynational.com.sslcom670006.8locate.tk/CentralLogonWeb/Confirm?lang=
http://ww2.abbeynational.com.sys2481.offset9.name/CentralLogonWeb/Confirm?check=

http://bolb1.associatedbank.com.pif02.jp/web_bank/confirm.asp?log-in=
http://bolb1.associatedbank.com.root71.ws/web_bank/confirm.asp?version=
http://bolb1.associatedbank.com.sslweb5.bz/web_bank/confirm.asp?spool=
http://bolb1.associatedbank.com.sys17.name/web_bank/confirm.asp?set=

http://www8.associatedbank.com.sslcom5.cc/web_bank/confirm.asp?tag=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?locate=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?offset=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?script=

Just in the last twenty-four hours, we saw more than 25,000 variations of these URL patterns.

How does the Phisher King keep his domains alive? Part of it is his use of a wide and ever-shifting set of Registrars. For example, consider today's domains:

Abbey Domains:

sslweb5.bz
code11.ca (registered 29oct08 with Internic.ca)
input2.cc (registered 06NOV08 with Moniker)
2r2cw3a8u.com (registered 12NOV08 with XIN NET Technology)
3jk2p84x1.com (registered 12NOV08 with XIN NET Technology)
topmango.com (registered in 2001 with TuCows)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
48filt.jp (funky .jp whois gives no useful data)
4logon.jp (funky .jp whois gives no useful data)
pif02.jp (funky .jp whois gives no useful data)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group)
8locate.tk ("locked" by the clueless idiots at "Dot TK" with the phish live)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)

Associated Domains:

sslweb5.bz (error)
code11.ca (registered 29OCT08 with Interic.ca Corp)
input2.cc (registered 06NOV08 with Moniker ONline Services)
6tagid.com (registered 05NOV08 with Moniker Online services)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
login5.gs (registered 30OCT08 with Key-Systems)
1server.jp (registered 04NOV08 - whois.jprs.jp)
48filt.jp (registered 30OCT08 - whois.jprs.jp)
4logon.jp (registered 31OCT08 - whois.jprs.jp)
asp29.jp (registered 12NOV08 - whois.jprs.jp)
log-in1.jp (registered 27OCT08 - whois.jprs.jp)
pif02.jp (registered 06NOV08 - whois.jprs.jp)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group Ltd)
8default.net (registered 05NOV08 with Moniker Online Services)
8locate.tk (dot.tk does odd things with domains)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)



That's just the beginning though. Then we have the problem of the nameservers and Fast Flux hosting. While most domains have two or three nameservers, these domains have as many as 19. ns1.sslweb5.bz, ns2.sslweb5.bz, ns3.sslweb5.bz . . . all the way up to ns19.sslweb5.bz.

The IP addresses used for the nameservers are compromised home computers running the Asprox malware. Without the knowledge of these computer's owners, they provide the nameserver resolution for the phishing domains. Just as an example, the following IP addresses are all currently acting as nameservers for the Asprox phishing sites:

62.219.252.109
67.85.69.196
68.6.180.109
68.197.137.239
69.152.88.191
69.183.251.177
70.82.24.172
70.154.82.100
72.12.170.148
72.204.44.232
74.57.110.49
74.193.44.82
74.196.156.180
75.109.252.245
76.73.237.59
76.179.26.169
76.182.187.206
76.240.151.177
76.248.76.121
99.224.77.151

Each one of these IPs provides nameservices for dozens of domains used by this criminal. Currently they are serving:
sslweb5.bz
code11.ca
input2.cc
sslcom5.cc
3update.eu
ide08.gs
11tag.in
1server.jp
48filt.jp
4logon.jp
63root.jp
asp29.jp
pif02.jp
5version.mobi
25uid.name
offset9.name
sys17.name
berjke.ru
8locate.tk
15load.tv
17gdi.tv
libid5.tv
manage5.tv
root71.ws
udp96.ws

The Nameservers are used to direct email recipients to other infected computers where they are shown the fake bank pages. (Those computers are actually acting as a "proxy" to load the real phishing data from yet another location.)

In addition to the phishing pages, the other machines in the botnet also provide infection services.

The current domains being used for infection are:

www.berjke.ru
and
www.81dns.ru

Google Safe Browsing won't let you visit either of those sites, because they have been "an intermediary for the infection of 770 sites including ssaga-g.com, csmfilter.co.kr, parenthesis-mykonos.com". Google Safe Browsing goes on to answer the question "Has this site hosted malware?" by saying "Yes, this site has hosted malicious software over the past 90 days. It infected 3324 domains including csmfilter.co.kr, sarangsae.com, istanbulihl1991.com.

Checking Google Safe Browsing for one of those sites shows things like:

"Of the 423 pages we tested on this site over the past 90 days, 130 pages resulted in malicious software being downloaded and installed without user consent. The last time Google visited the site was 2008-11-21, and the last time suspicious content was found on the site was on 2008-11-21.

Malicious software includes 168 scripting exploits, 28 exploits, 4 trojans. Successful infection resulted in an average of 2 new processes on the target machine.

8 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including egyptgood.cn, 81dns.ru, berjke.ru


At the current moment, there are 18,400 "drive-by" infection sites just with that script site loaded in Google. Some of the infected sites are hotels, ski resorts, chemical companies, motorcycle sites, real estate sites, chemical companies, nail salons, churches, the government of Ohio (survey.workforce411.ohio.gov has many infected pages).

There have been MILLIONS of these pages . . . I'll have more details soon....
Email ThisBlogThis!Share to XShare to Facebook
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ▼  November (17)
      • Mumbai Bombings: Coordinated Bombings in India are...
      • Bank of America Demo Account - DO NOT CLICK
      • AsProx: The Phisher King?
      • Igor Klopov sentenced
      • Facebook Users Beware
      • Enlisting YOUR BANK to steal your identity
      • Post McColo Spam - What do we see?
      • Unprecedented Drop in Spam
      • Internet Landfill: McColo Corporation
      • Microsoft Reveals Malware and Spam Trends
      • Election Malware and Obama Pill Ads?
      • Election Malware Targets Sore Losers - McCain Vide...
      • Yesterday's Obama Spammer Now Imitates Colonial Bank
      • Computer Virus masquerades as Obama Acceptance Spe...
      • ICE: Operation Predator - Solving Intertwined Chil...
      • More Merger Malware Wachovia Wells Fargo
      • MS08-067: New RPC Worm from China
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile