Tuesday, December 02, 2008

Rock Phish-ing in December

Nothing can warm up the heart of a security researcher better than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware  infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

Active Rock Phish Domains in fast-flux :
stgsfw7sr .com
q06ciwt60 .com
jnlyf96v4 .com
neegzlh35 .com
7azwmrsg5 .com
pn3ekq976 .com
2coxi8sb6 .com
d8ri1iz5d .com
 

ki7wvgauf .com
5nt5r3keh .com
5nt29884j .com
bgoryomek .com
a725jv8ik .com
fke5nnp8m .com
stgsfw7sr .com
10c0ka49t .com
zp304ju3z .com
j0rykafwn .cn
2j1f .net

confirm-updates .com
paypal.confirm-updates .com
user-data-confirmation .com
paypal.user-data-confirmation .com
capitalone.updating-informations .com


Sample sub-domain structure :
mybank.alliance-leicester.co.uk.7azwmrsg5 .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.5nt29884j .com
mybank.aliance-leicester.co.uk.bgoryomek .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.stgsfw7sr .com
mybank.aliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com
myonlineaccounts1.abeynational.com.pn3ekq976 .com


DNS servers for the campaigns :
ns1.thecherrydns .com
ns2.thecherrydns .com
ns3.thecherrydns .com
ns4.thecherrydns .com
ns5.thecherrydns .com
ns6.thecherrydns .com

ns10.realgoodnameserver .com
ns1.realgoodnameserver .com
rens2.realgoodnameserver .com
rns3.realgoodnameserver .com
ns4.realgoodnameserver .com
ns8.realgoodnameserver .com

ns6.myboomdns .com
ns4.myboomdns .com


Domains registrant :
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com

These well known Rock Phish campaigners, have been naturally multitasking on several different underground fronts throughout the year. For instance, their 2j1f .net is known to have been hosting money mule company's site, and also, it was used in a previously analyzed phishing campaign that was spreading across Facebook in June. Need more evidence on the consolidation that's been ongoing for over an year and half now? An infamous money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the fast-flux network offered by the ASProx botnet masters in July.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

Related Rock Phish research :
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Assessing a Rock Phish Campaign

Related fast-flux research :
Fast-Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Scam
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Managed Fast Flux Provider - Part Two
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

No comments:

Post a Comment