Tuesday, June 14, 2022

209.1 Host Locked

I've been playing a cat and mouse game with the folks behind several different phishing campaigns using the Rock Phish kit for a while now, in between tracking down the New Media Malware Gang and several other related malware campaigns. The Rock Phishers seem to keep track of this, and periodically change the default error message returned on a Rock Phish domain. First it was "209 Host Locked", than it became "66.1 Host Locked", and how they've again changed it on a wide scale to "209.1 Host Locked". Try these :

forceadd.com.ph
goldline.org.ph
paypal-accounts.com
mte1nt.ac.cn

Now, would you believe that due to outsourcing considerations NatWest Bank are now using a Siberian ISP? Naah, in your wicked dreams only! This campaign has been going on for the last 24 hours :

natwest.com.tx49.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.tx48.hk/onlinebanking/customerform.aspx
natwest.com.tx15.hk/onlinebanking/customerform.aspx
natwest.com.tx47.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.iyeufv.org.ph/onlinebanking/customerform.aspx
natwest.com.yeufv.ph/onlinebanking/customerform.aspx
natwest.com.modifitool.kg/onlinebanking/customerform.aspx

Now, let's get back to the domain farms. The first one is located in CTS SIBERIA Complex Telematic Systems Joint Stock Company 53, Pisareva st , Novosibirsk, 630005, RUSSIA, at 81.16.131.40 and is hosting :

6584.tw
business-internet-banking.hsbc.com.yeufv.com.ph
hsbc.com.yeufv.com.ph
myyeufv.net.ph
polro.ph
tx49.hk
tx55.hk
yeufv.com.ph

The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 200.72.139.67, and the IP is acting as the main IP for a wide range of NS servers which further expand the domain farm. As I've already pointed out numerous times, Rock Phish is a great example of how centralization means, both, efficiency and easy of management, and an insecurity from the perspective that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish domains hosting approximately from 5 to 10 different phishing campaigns targeting different brands on a single domain. Here's another perspective on the blended threat posed by phishing emails that come with embedded banker malware, the results of which get later on aggregated in a banking malware infected botnet only. Find out more about trends and developments related to phishing in 2007 in a related article, and the Rock Phish kit in principle.

No comments:

Post a Comment