There's a famous line in the movie Jerry McGuire where Tom Cruise's character says "Show me the Money!" In online investigations, I prefer the line "Show me the Data!" This morning I was doing just that and found an interesting cluster of badness.
Dr. Elizabeth Gardner at UAB leads our Forensic Sciences program in the Department of Criminal Justice. She and I have partnered on many projects in the past by mixing our expertise. She's a forensic drug chemist, and I chase bad guys on the Internet. 8-). Our current project follows up on some of the work we shared with the
BBC Click episode "Can Technology Solve the Opioid Crisis?"
Last night we threw 586 Opioid and Fentanyl selling websites into our clustering-by-location program that Zack Knight (one of my student malware analysts) had developed for another project. Our goal was to find clusters of drug-selling websites "in the same place" and then use other tools to explore what else is hosted in the same location. The tool sorts first by country, then by ASN, and then by NetBlock. There was a nice cluster that revealed itself, consisting of six websites all on the same Class C NetBlock:
Company: VERDINA Ltd., Autonomous System Number AS201133
111.90.156.117
thepleasantproducts[.]com
111.90.156.170
pharm-rx[.]to
111.90.156.173
globalheadshop[.]com
nembutalonlineshops[.]com
111.90.156.61
richmed-pharma[.]com
111.90.156.64
researchkem[.]com
Why were these sites in our database? Well, they offer some overtly bad stuff for sale. Here's an example:
 |
| thepleasantproducts[.]com |
 |
| pharm-rx[.]to |
 |
| nembutalonlineshops[.]com |
You can clearly see why our Opioids project is interested in these sites! But what we wanted to know was, given that there were six very clearly objectionable sites on the same Class C Subnet, might there be other sites there as well. That's where the Zetalytics "ZoneCruncher" tool came into place. We asked ZoneCruncher what other sites were recently resolved to this Netblock, fully expecting it to give us a list back of additional drug sales websites! What we got back was much more interesting!
 |
| 111.90.156.0/24 via ZoneCruncher from Zetalytics |
As soon as I saw the results, I knew exactly what scammers were behind these sites, as we were well familiar with the group from the work I've done with the excellent Business Email Compromise researchers at
Artists Againt 419 (AA419)! The "signature" of this group is their reliance on a set of nameservers running on domains "steeldns[.]com" "metaldns[.]com" and "argondns[.]com" hosted on the Malaysian hosting company Shinjiru MSC. Verdina Ltd. is the owner of this particular netblock, which uses the Autonomous System Number AS201133.
Verdina has a few other
Netblocks that we'll be exploring later, but this one has plenty of badness on its own! Some of the most recent sites we have on this same Netblock include:
A fake Bank of Ireland site, indicating they would like to refund a suspicious transaction to your Visa card:
 |
| boi365refunds[.]com |
 |
| of course, first you have to login . . . |
An alert that your NETFLIX payment has been declined, which of course also requires a bit more information to "RESTART MEMBERSHIP" ...
 |
| netflx9-msg101[.]com |
 |
| netflx9-msg101[.]com / alldetails.html |
Many of the sites identified by ZoneCruncher have either already been remedied by security researchers working with registrars, are have not yet been deployed by the scammers. The domain names themselves indicate the range of their creative scamming:
Covid Charity Scams
=============================
| e-media-covid19-relief[.]ibonline[.]digital |
| e-media-covid-19-relief-fund-donations[.]ibonline[.]digital |
| e-media-covid-19-relief-fund-donations-for-food-parcel[.]ibonline[.]digital |
emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
givedirectly-covid19-emergency-fund[.]ibonline[.]digital
| www.1covid-19-d[.]com |
| www.1covid9-cerb[.]com |
Netflix Phish
=============================
n3tflix-billupdate1[.]com
| netfl1x-accupdate3[.]com |
| netfloux474[.]com |
| netflx1-sms98[.]com |
netflx9-msg101[.]com
Paypal phish, Scotia Bank phish, RBC phish, ANZ phish
============================
| paypai[.]restringido[.]org |
paypal[.]restringido[.]org
rbcsecu1ces32[.]com
scotia1ban2k1-info[.]com
"Secure" Messaging portals
==================== |
msg-integrity[.]com
report-payments[.]net
threessl[.]com
and so many more ... 112 different "scammy" domains were hosted on this single Class C just in the past ten days! |
|
|
|
|
UK Government Refund Scam
|
|
|
|
The most interesting of the current batch, however, was this one which was a means to update payment details in order to receive a refund from the UK Government via the website www[.]govuk-proceed-application[.]com, pictured below:
 |
| shall we begin the process? |
 |
| Give us all your personal data . . . |
 |
| Don't worry! Everything is "secured with 256-BIT SSL Layer!" |
 |
| Give us all of your Banking Details! |
 |
And at the conclusion, you'll get a nice confirmation number!
(before a bit.ly link forwards you to the real UK Government) |
Other Examples of Live Badness
Just a few more examples . . . all live as of this writing . . .
 |
| volksign[.]bausp[.]com |
 |
| Gold Investing anyone? |
 |
| Paypal Phish |
Bottom line? Exploring the Network Neighborhood of a cluster of bad sites can lead to some very interesting findings! I'm looking forward to learning more from Zetalytics! They show 19,000+ more domains that were served by "ns1.metaldns.com" and so very many of them look scammy!
Posts
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.