Thursday, April 23, 2020

Scam Everything - Opioids, NetFlix, Phish, Covid Charities, and Government Refunds in one network neighborhood

There's a famous line in the movie Jerry McGuire where Tom Cruise's character says "Show me the Money!"  In online investigations, I prefer the line "Show me the Data!" This morning I was doing just that and found an interesting cluster of badness.

Dr. Elizabeth Gardner at UAB leads our Forensic Sciences program in the Department of Criminal Justice.  She and I have partnered on many projects in the past by mixing our expertise.  She's a forensic drug chemist, and I chase bad guys on the Internet.  8-).  Our current project follows up on some of the work we shared with the BBC Click episode "Can Technology Solve the Opioid Crisis?"

Last night we threw 586 Opioid and Fentanyl selling websites into our clustering-by-location program that Zack Knight (one of my student malware analysts) had developed for another project.  Our goal was to find clusters of drug-selling websites "in the same place" and then use other tools to explore what else is hosted in the same location.  The tool sorts first by country, then by ASN, and then by NetBlock.  There was a nice cluster that revealed itself, consisting of six websites all on the same Class C NetBlock:

Company: VERDINA Ltd., Autonomous System Number AS201133
111.90.156.117
thepleasantproducts[.]com
111.90.156.170
pharm-rx[.]to
111.90.156.173
globalheadshop[.]com
nembutalonlineshops[.]com
111.90.156.61
richmed-pharma[.]com
111.90.156.64
researchkem[.]com

Why were these sites in our database?  Well, they offer some overtly bad stuff for sale.  Here's an example:
thepleasantproducts[.]com
pharm-rx[.]to

nembutalonlineshops[.]com
You can clearly see why our Opioids project is interested in these sites!  But what we wanted to know was, given that there were six very clearly objectionable sites on the same Class C Subnet, might there be other sites there as well.  That's where the Zetalytics "ZoneCruncher" tool came into place.  We asked ZoneCruncher what other sites were recently resolved to this Netblock, fully expecting it to give us a list back of additional drug sales websites!  What we got back was much more interesting!

111.90.156.0/24 via ZoneCruncher from Zetalytics 
As soon as I saw the results, I knew exactly what scammers were behind these sites, as we were well familiar with the group from the work I've done with the excellent Business Email Compromise researchers at Artists Againt 419 (AA419)!  The "signature" of this group is their reliance on a set of nameservers running on domains "steeldns[.]com" "metaldns[.]com" and "argondns[.]com" hosted on the Malaysian hosting company Shinjiru MSC.  Verdina Ltd. is the owner of this particular netblock, which uses the Autonomous System Number AS201133.

Verdina has a few other Netblocks that we'll be exploring later, but this one has plenty of badness on its own!  Some of the most recent sites we have on this same Netblock include:

A fake Bank of Ireland site, indicating they would like to refund a suspicious transaction to your Visa card:

boi365refunds[.]com 

of course, first you have to login . . . 
An alert that your NETFLIX payment has been declined, which of course also requires a bit more information to "RESTART MEMBERSHIP" ...
netflx9-msg101[.]com 
netflx9-msg101[.]com / alldetails.html 

Many of the sites identified by ZoneCruncher have either already been remedied by security researchers working with registrars, are have not yet been deployed by the scammers.  The domain names themselves indicate the range of their creative scamming:

Covid Charity Scams 
=============================
e-media-covid19-relief[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations-for-food-parcel[.]ibonline[.]digital
emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
givedirectly-covid19-emergency-fund[.]ibonline[.]digital
www.1covid-19-d[.]com
www.1covid9-cerb[.]com


Netflix Phish
=============================
n3tflix-billupdate1[.]com
netfl1x-accupdate3[.]com
netfloux474[.]com
netflx1-sms98[.]com
netflx9-msg101[.]com

Paypal phish, Scotia Bank phish, RBC phish, ANZ phish
============================
paypai[.]restringido[.]org
paypal[.]restringido[.]org
rbcsecu1ces32[.]com
scotia1ban2k1-info[.]com

"Secure" Messaging portals
====================
msg-integrity[.]com
report-payments[.]net
threessl[.]com

and so many more ... 112 different "scammy" domains were hosted on this single Class C just in the past ten days!

UK Government Refund Scam 

The most interesting of the current batch, however, was this one which was a means to update payment details in order to receive a refund from the UK Government via the website www[.]govuk-proceed-application[.]com, pictured below:

shall we begin the process?  


Give us all your personal data . . . 
Don't worry!  Everything is "secured with 256-BIT SSL Layer!" 

Give us all of your Banking Details!
 
And at the conclusion, you'll get a nice confirmation number!
(before a bit.ly link forwards you to the real UK Government)


Other Examples of Live Badness



Just a few more examples . . . all live as of this writing . . . 
volksign[.]bausp[.]com 

Gold Investing anyone? 

Paypal Phish

Bottom line?  Exploring the Network Neighborhood of a cluster of bad sites can lead to some very interesting findings!  I'm looking forward to learning more from Zetalytics!  They show 19,000+ more domains that were served by "ns1.metaldns.com" and so very many of them look scammy!



No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.