Sunday, October 26, 2008

Phishing Clue Needed in Ecuador

UPDATE: MISSION ACCOMPLISHED


After 26 days of continuous abuse, all of the ".ec" domains mentioned below were terminated within 1 day of the posting of this article. Thanks to those who saw this and helped bring it to the attention of our new friends in Ecuador...

End Update



Help! If you happen to know someone who works at NIC.EC, would you be willing to help translate a phishing problem to them?

The current longest-lived phishing campaign on the planet is currently abusing a group of domains in Ecuador, and its time for these domains to be terminated.

The domains in question are:

dll.ec
dll.com.ec
dll.net.ec
dllst.net.ec
dllst.ec

This campaign is part of the longest lived phishing campaign in the history of phishing, which has been continually plaguing Abbey Bank, a part of the Santander Group. Its long been obvious in the anti-phishing world that no one at Santander Group cares about phishing, so we pretty much just leave them alone. They don't answer emails, they don't have a visible level of participation in the Anti-Phishing Working Group, and they don't have a visible level of participation in the Digital PhishNet. They are also one of the few phishing-targeted banks on the planet that don't seem to use any external anti-phishing services. (Based on volume and longevity of phishing sites only -- if they are paying someone to shut down phishing sites, that company should find a new line of work.)

But this post isn't about Abbey. If Abbey were the only victim, I wouldn't be writing this. The problem is that the great success this phisher is having hosting his domains on ".ec" (Ecuador) domain space has caused him to branch out to target other brands.

The current Abbey path "/CentralFormWeb/Form/", has been in use since September 23rd. Since that date, I've received 64,473 alerts of phishing URLs on that path. The initial domains for the attack, dlstcks.com, dlstcks.net, and dlstcks.org were quickly terminated. dllst.ec was created on September 26th and has been used contantly since that time. dllst.com.ec, dllst.net.ec were added on September 27th, and dll.ec and dll.com.ec on September 30th.

Several other domains have come and gone during this campaign, including: dllstd.eu, dllstd.me.uk, ppt.net.kg, dlspot01.com, dllst.vu, dll-i.ph, dll-s.eu, dllsrv.co.uk, server.org.kg, dllstd.co.uk, dllsrv.co.uk.

For each of the domains above, one can do "path replacement" to demonstrate that there are several brands being targeted. As an example:

http://myonlineaccounts2.abbeynational.co.uk.dll.ec/CentralFormWeb/Form/



http://www.americanexpress.com.dll.ec/myca/form/serverstack/action



http://www.scotiaonline.scotiabank.com.dll.ec/online/form.jsp



http://online.lloydstsb.co.uk.dll.ec/customercare/serverid/cform.jsp



The machine name portion does not matter. Any machine name may be used with any of the four paths.

American Express was added to the attack on October 20th. That's EXTREMELY unusual, as we almost never see attacks against American Express!

Scotia Bank was next, added to the attack on October 23rd, using .dllst.com.ec, .dllst.ec since its first day.

Lloyds TSB is the newest victim brand, introduced to these paths only on October 25th. The Lloyds and Scotia attack paths have only used 9 domain names so far this time around, with the paths "/myca/form/serverstack/action" and "/online/form.jsp/" respectively:

dll.ec
dllst.com.ec
dllst.ec
dllst.net.ec

moder.ph

infod.tk
infodl.tk
mmdt.tk
tracklt.tk

I'm watching for new domains both in my phish pheeds, and by monitoring the Nameservers ns1.bestthetravel.net and ns1.alterdll.com, both being currently preferred by this phisher.

Because these are "proxy hosted" phish, they may temporarily not resolve for 90 seconds or so until it is noticed that one of the proxies is non-functional. When that is detected, the phisher's monitoring system automagically updates the nameserver resolution to point to a new available proxy. With a pool of thousands of potential proxy redirectors, this phish will continue to live until our friends in Ecuador terminate the domain names.

Thanks for any introductions you may have for us.

Oh - for any former CastleCops PIRT Handlers - I'm happy to report that the system seems "stable" and its time to report back to work! We've had a few die-hard PIRT Handlers who have worked straight through - most notably "Downie" and "s0tet". I hope to see many of the rest of you back there soon!

A sample PIRT ticket for the Abbey/AmEx/Scotia phish would be:

http://www.castlecops.com/Abbey_Bank_American_Express_Scotia_Bank_phish973790.html

Hopefully we'll have PIRT tickets for all nine of the active domains by this evening.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.