?

Log in

No account? Create an account

Previous Entry | Next Entry

Lately, I've been getting a spate of "phishing" emails, at about two a day. These mails claim to come from a bank, and say something along the lines of "Your online banking has been suspended, you need to give us your banking details again." They then point to a fake Web site that looks just like a real banking site, and try to dupe victims into typing their bank account numbers and passwords and such into the fake site. All pretty bog-standard so far.

The past few weeks has seen a very specific type of phish that's relatively unusual; rather than trying to get me to type in my account number and password, these phish emails lead me to a site that tries to get me to download a "browser encryption update" to my computer. The "update" is, of course, a computer virus that records everything I do in my browser and sends it back to the hackers. A bit of a twist on the idea, but still basically the same thing.

What's surprised me is the sophistication of these phishes. The fake Web sites have really long names, such as

http://ktt.key.ktt.cmd.logonFromKeyCom.productsremote.KUTglSiqAY.rnalid.viewcontent.ttioense.com/logon.htm
( *** WARNING *** *** WARNING *** *** WARNING *** This site is live as of the time of this writing, and WILL try to download malware onto your computer!)

What's unusual about this is three things.

First, the hackers are registering a domain, rather than just hanging the phish off of a hacked Web site.

Second, the hackers are putting this domain on a large number of computers, probably hacked home PCs, spread out all over the world, so that if one of them is shut down the others will still work. As of the time of this typing, ttioense.com is living on ten different IP addresses in ten different parts of the world.

Third, the hackers are running their own name servers. They are hacking computers, setting up name servers on those computers, and then using those name servers to set up sites that pretend to be bank sites and try to download malware. Essentially, they are creating their own "shadow Internet"--their own Web sites set up on hacked computers, and their own domain name servers also set up on hacked computers.

Still pretty bog-standard, if technically sophisticated.

Hold on to your hat, Dorothy, because Kansas is about to go bye-bye.

As of the time of this writing, ttioense.com, the fake bank Web site that tries to download a virus, has two name servers:

Domain name: ttioense.com

Technical Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

Billing Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

DNS:
ns1.dabchecks.com
ns2.dabchecks.com

Created: 2008-10-15
Expires: 2009-10-15


Now, ns1.dabchecks.com is running on a server in the UK belonging to a company called UK Dedicated Servers Limited.

On the other hand, ns2.dabchecks.com...

ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center--a military network so paranoid that their main Web site won't let you log on unless you have a special access card and you're connecting from a .mil address.

whois 22.25.119.21

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 22.0.0.0 - 22.255.255.255
CIDR: 22.0.0.0/8
NetName: NICS0175
NetHandle: NET-22-0-0-0-1
Parent:
NetType: Direct Allocation
Comment:
RegDate: 1989-06-26
Updated: 2007-07-06

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil


And that isn't something you see every day.


Comments

( 37 comments — Leave a comment )
polydad
Oct. 15th, 2008 09:11 pm (UTC)
Does this mean we have hackers hacking the Pentagon to run a phishing scam, or the military getting so desperate for cash that *they're* running a phishing scam?

best,

Joel. Who has no idea how to tell.
tacit
Oct. 16th, 2008 04:38 pm (UTC)
If the military were to set up such a scam, they wouldn't use their own IP addresses. The FBI recently conducted a multiyear sting operation aimed at hackers and credit card crackers, and they set up a fictitious forum on an ISP known to be friendly to criminal activity. There's simply no need for the government, were it to do such things, to be so obvious.

And the Pentagon isn't exactly hurting for money; it gets more money for military spending than the entire rest of the world put together. The amount of money that even a wildly successful phishing expedition could bring in wouldn't amount to more than a rounding error in one segment of one part of the Pentagon's overall budget; they probably spend more money on paper clips in a year than what they could make by this sort of fraud.

There's no doubt in my mind that the government is willing to engage in fraud--just not this kind of pissant penny-ante low-level fraud.
dwer
Oct. 15th, 2008 09:19 pm (UTC)
be careful. The last time someone tried to show the DoD a hole in their security network, they went to jail.
tacit
Oct. 16th, 2008 04:39 pm (UTC)
Heh. Of course, that happens when folks try to demonstrate those weaknesses by hacking them--which is, of course, profoundly stupid. Merely reporting on them is a different matter.
fionn_mcgreggor
Oct. 15th, 2008 09:43 pm (UTC)
This is seriously weird. If they hacked 22.25.119.21, then why on earth would they use it for something so silly? Perhaps they simply didn't bother to see who they'd hit?

I'm certain the NSA/DoD are doing some stuff we'll never know about in service of our corporate overlords, but there's just no way even human incompetence would explain publicly outing themselves in this manner.


president/bomb/terrorist
Hello TIA
tacit
Oct. 16th, 2008 04:40 pm (UTC)
That's my guess. They probably hack sites by using automated tools like Metasploit, and don't know or care who owns the IP addresses. I bet the folks responsible have no earthly clue they've hacked a server on an IP range belonging to the DoD.

At least not yet.
(Anonymous)
Oct. 15th, 2008 09:55 pm (UTC)
In a purely theoretical way, I've long wondered if mail spam couldn't be turned into some kind of tool for a military power. Each individual spam itself wouldn't be very useful, but a huge swarm of spam could give you statistical measurements of some kind, of the state of the internet backbone, or people's individual machines, all kinds of things.

What I like about this theory, is that it brings John Q Public into the battlefield. Which kind-of juibes with a lot of other things I can't help but notice.
tacit
Oct. 16th, 2008 04:42 pm (UTC)
Actually, youre pretty close to something that's used routinely. The kind, amount, and pattern of spam is often used to get a rough approximation of the size of different botnets. Botnets are frequently used to send spam, and comparing the volumes of spam with botnet command and control traffic coming from the same IP address, and then comparing that spam with other related spam, gives researchers a pretty nice approximation of the size of the botnets in question.
skitten
Oct. 16th, 2008 12:12 am (UTC)
ummmmmmm... I have no idea what you are trying to say here- avoid said website? *scratches head in confusion*....
nope. I've decided that perhaps I'm simply not geek enough to grok it...something about banks?
lance_lake
Oct. 16th, 2008 01:13 am (UTC)
Basically...
The hackers, in an effort to spread out and control more machines, converted a military Department of Defense machine.

He was remarking about how hard this is to do (They got some SERIOUS security) and how the hackers probably don't realize this (if they do, they are VERY stupid or very clever. Talking either rainman here or einstein).
Re: Basically... - skitten - Oct. 16th, 2008 02:43 am (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 03:35 am (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 10:49 am (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 02:12 pm (UTC) - Expand
Re: Basically... - sylvar - Oct. 16th, 2008 04:09 am (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 02:11 pm (UTC) - Expand
Re: Basically... - tacit - Oct. 16th, 2008 04:56 pm (UTC) - Expand
Re: Basically... - sylvar - Oct. 16th, 2008 06:29 pm (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 10:58 am (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 02:10 pm (UTC) - Expand
Re: Basically... - roguebaby - Oct. 16th, 2008 04:29 pm (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 04:32 pm (UTC) - Expand
Re: Basically... - tacit - Oct. 16th, 2008 04:57 pm (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 04:33 pm (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 04:37 pm (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 05:12 pm (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 04:31 pm (UTC) - Expand
Re: Basically... - lance_lake - Oct. 16th, 2008 04:36 pm (UTC) - Expand
Re: Basically... - skitten - Oct. 16th, 2008 05:08 pm (UTC) - Expand
(no subject) - tacit - Oct. 16th, 2008 04:44 pm (UTC) - Expand
(no subject) - skitten - Oct. 16th, 2008 05:06 pm (UTC) - Expand
(Deleted comment)
tacit
Oct. 16th, 2008 04:45 pm (UTC)
Yeah. I bet when someone finally gets 'round to noticing that the machine on that IP address has been breached, someone else will be in a world of hurt.
(Deleted comment)
self_confusion4
Oct. 16th, 2008 03:27 am (UTC)
No, no freaking out is required, but seriously.

Hooooly shit.
cjhm
Oct. 16th, 2008 03:49 am (UTC)
Cool!
sylvar
Oct. 16th, 2008 06:32 pm (UTC)
Heh. I just got one of these:

http://direct.
bankofamerica.usanationwide.
memberverify.portalserver.
9ggevhfqw.loexeiv.com/control.htm
?/viewcontent/verification/OSL.htm
?LOB=13075756&refer=XftZjTTe9ggEVHf

What struck *me* as odd was the second question mark...
( 37 comments — Leave a comment )