Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

I sense a phishing storm approaching …

September 17th 2008 in Uncategorized

imageI’m sure my readers already know about the goings-on affecting Estdomains/Intercage and Atrivo in recent times – suffice to say that the bad guys are being chased from pillar to post and back again, and were at risk of being knocked off the Internet completely.

Brian Krebs can claim credit for starting this most recent bloodbath.  His efforts, and more importantly the success he has achieved, makes my small efforts chasing individual fraudware domains from host to host absolutely pale in comparison :o)

Brian’s reports can be seen here (about Atrivo):
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

and here (again about Atrivo):
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html

and here (about Estdomains, described as Atrivo’s biggest customer):
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html

and here (again about Estdomains):
http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html

To summarize briefly, the end result of Brian’s articles was that Intercage (aka Atrivo) lost its upstream providers, being dumped by “Global Crossing” (a name that will appear again later in this article) as well as BandCon and WVFiber.  Not only that, nLayer Communications have demanded that Atrivo hand back a slew of IP addresses supplied to them by nLayer. 

Atrivo/Intercage eventually came to rest at Pacific Internet Exchange LLC.  PIA’s upstream is COGENT, who are apparently watching the situation very closely (COGENT ticket number HD0000000789038)  (source: NANOG mailing list)

Intercage declared on the 7th of September that they were removing Hostfresh from their network (Hostfresh being another name associated with Esthost/Estdomains). Hostfresh’s upstream is currently ANC Asia Netcom Corporation, who have in turn spread their requirements between 15 different upstream providers, being Tiscali, Global Crossing, AT&T, TeliaNet, Flag Telecom, Reach Network, Hong Kong Internet Exchange, Singtel, Equinex, PIPE, Internet Initiative Japan, Hutchison, KDI, Korean Telecom and Telecom Italia.  With such a high level of redundancy, it may be harder to encourage ANCAsia Netcom to take action, should that be needed.

 

Estdomains have fought back, issuing a press release that you can see here:
http://www.prweb.com/releases/2008/09/prweb1325214.htm

and here:
http://www.domainnews.com/en/general/estdomains-denies-links-to-malware-distribution.html

Anyway, that is enough history – let’s get back to the potential phishing storm.  Estdomain’s indignation in their press release rings a little false when we look at some of their most recent registrations.  Check it out – I am sure you will agree there is a definite banking “flavor” – the registrations occurred within the past 24 hours or so:

bankdatacentral.us
bank-securities.us
databank1.us
digitaldata1.us
ebanking-solution.us
ebank-services.us
ebank-express.us
ebank-xpress.us
online-processor.us
securitydata-services.us
bankdata1.us
bankdataone.us
banking-global.us
center-security.us
ebanking-net.us
ebanking-network.us
ebanking-servers.us
ebanking-solutions.us
ebanking-system.us
internet-securebanking.us
it-securities.us
secure-server3.us
secure-solution.us
securitydata-server1.us
securitydata-server12.us
securitydata-server3.us
securityservice1.us

When I started writing this article, bankdatacentral.us was hosting a fake “First Bank” login page at bankdatacentral.us/olb/ (screenshot above), and was using a geolocator script from ip2location.com. This script recorded IP location, geographical location, latitude/longitude, IP in use, time zone, IDD code and “weather station”.  For a short while, the URL bankdatacentral.us went offline (failing to resolve), before reappearing and again loading bankdatacentral.us/olb/ which in turn directed to bankdatacentral.us/s/c.php without showing any other content, but then the fake log-in page at /olb/ came back.

Content for /olb/ is being pulled directly from www2.firstbanks.com (style sheets, graphics, javascript).

I should also point out that in recent times I have also seen malware sites utilizing maxmind.com, which supplies similar “gelocation technology” to that supplied by ip2location.com.

Up until a few days ago, Estdomains were registering a lot of medical related domains, such as meds1499.us, meds1512.com, meds1513.com, meds1514.us, meds1515.com etc etc etc (you get the idea, I’m sure).  The domains that were live when I looked at them were hosting or redirecting to various “Canadian Pharmacy” sites.

In short, things are not over yet – not by a long shot.  In fact, I see that, within the last hour and a half, a new domain has been added to my list, online172.com (and online175, and online 176, and online 139, and online136 at different times), which at time of writing are redirecting to a “Canadian Pharmacy” site.


2 comments to...
“I sense a phishing storm approaching …”

estMate

All listed domains are already suspended



redwolfe_98

sandi, in your article, you mention a “www2.firstbanks.com”.. is that link malicious, or is it “legitimate”? thanks 🙂


There are several malvertizements in circulation – some of which are “new”.  I have not seen malvertizements featuring Dish Network or Lumosity before today.   Cardstore.com – created using Fuse   Dish Network – created using Fuse   Fast free new car quotes – an older style malvertizement that […]

Previous Entry

Newly registered via Directi … cid38.mobi cid38.mobi is hosting a copy of a legitimate web site – note the URL in the address bar: And here is the real site – again, note the site in the address bar:  

Next Entry

Archives