Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: "Careerbuilder Job Application" email scam with Dynamic DNS - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Careerbuilder Job Application" email scam with Dynamic DNS
This morning I received a "Careerbuilder Job Application" email (below) asking me to reply to an email address at sarcony.com, looking at information on the domain it turned out that nsX.makesoulbraives.com are the registered DNS provider for sarkony.com. The odd part is that nsX.makesoulbraives.com does not appear to be a legitimate dynamic dns provider .... This appears to me to be a "more" sophisticated than usual scam and service abuse. ymmv.

Both sarcony.com and NsX.makesoulbraives.com have had a number of IP addresses today, sarcony.com was obviously utilizing Dynamic DNS. This morning sarcony.com had the IP addresses of;

"83.243.33.25
69.192.206.42
84.135.28.52
152.66.214.90"

Currently, sarcony.com doesn't resolve ( ; ^ ).

Public Records indicate that sarcony.com had an;
Updated Date: 13-nov-2005
Creation Date: 13-nov-2005
Expiration Date: 13-nov-2006

Public Records indicated that DNS was provided by:
ns1.makesoulbraives.com
ns2.makesoulbraives.com

During the day DNS records for those registered nameservers has pointed to;

ns1.makesoulbraives.com at  66.227.144.196
ns1.makesoulbraives.com at 151.198.140.186
ns1.makesoulbraives.com at 213.211.243.10

ns2.makesoulbraives.com at  68.105.15.143
ns2.makesoulbraives.com at 172.178.188.31 <==AOL address

There was a third service provider for sarcony.com, email service at mail.makesoulbraives.com, 67.159.5.191, records for DNS pointed to ns1 and ns2 makesoulbraives.com. Currently, mail.makesoulbraives.com doesn't resolve ( ; ^ ).

Public Records indicate that makesoulbraives.com and mail.makesoulbraives.com had;
Updated Date: 16-nov-2005
Creation Date: 04-nov-2005
Expiration Date: 04-nov-2006

The abuse of dynamic DNS service for sarcony.com in this type of apparent scam allowed the domain sarcony.com to exist at any IP registering with the dynamic DNS service. In this case DNS service appears to be dynamically located too, DNS service has been provided by a registered domain that has had multiple IP's throughout the day;

ns1.makesoulbraives.com at  66.227.144.196
ns1.makesoulbraives.com at 151.198.140.186
ns1.makesoulbraives.com at 213.211.243.10

ns2.makesoulbraives.com at  68.105.15.143
ns2.makesoulbraives.com.at 172.178.188.31 <==AOL address

Typically dynamic DNS is provided by one of the well known dynamic DNS service providers. In this case registration and resolution records point at an interesting set up here, first enrolling the IP's of sarcony.com systems utilizing dynamic DNS, and then DNS services are from registered "name servers" with IP addresses that appear dynamic in nature.

Typically, the abuse of legitimate dynamic DNS service providers in a situation like this is intended to keep the destination domain (in this case sarcony.com) hopping from one exploited system to another in an attempt to stay ahead of and avoid shutdown by legitimate service providers who receive complaints. This can be highly effective in avoiding shutdown. However, there are those changing public registration records pointing to new DNS server IP's, an indication that there may actually be DNS service provided by DNS servers that are hopping around by more dynamic DNS abuse.

Got correlations anyone?

The most effective method of combating abuse/scams such as this is to eliminate the dynamic DNS support. sarcony.com and mail.makesoulbraives.com disappeared quite soon after the abuse email went out. I'll post the results of other efforts when, hopefully, they generate results.

ns1 and ns2 makesoulbraives.com are also mentioned in a post at dslreports.com - "SPAM from Korea; (links hobbled)".
http://www.dslreports.com/forum/remark,14742535

The email;

Thu, 17 Nov 2005 02:23:41 -0500

Date: Thu, 17 Nov 2005 02:23:41 -0500

From: Careerbuilder <yumpy@dbzmail.com>

Subject: Careerbuilder Job Application

To: me

Message-id: <6.0.0.22.1.20051117022341.d58f1ab5@dbzmail.com>

MIME-version: 1.0

X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22

Content-type: text/plain; format=flowed

Content-transfer-encoding: 7bit

Original-recipient: rfc822;me
 
Sarkony Incorporated can help you make your dreams come true while getting a monthly wage working on the Internet.

As everything you need to work with Swiport Incorporated is:

being a United States, United Kingdom, Italy or Spain citizen having a
bank account (paypal account) having a computer connected to the Internet a little of your spare time

How it works:

Working for us as a Payment Processing Manager, you will become a part
of the new trend in the world banking system. Duties of the position are simple, and income depends only on your efforts. All you have to do is transfer payments between our clients getting your interest from each operation.

Basically it will be 5-10%, with each transfer your interest will grow.

If want to work with us, contact your personal manager Ms. Pamela Watkins, e-mail: Pamela@sarkony.com

Sarkony Incorporated cares about your prosperity. Make your life better together with Sarkony Incorporated"

Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!