SecurityZone.org - Information Security Blog

The phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:

Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0×7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0×7C.0xDB11D1).

Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.

This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.

We have noticed some interesting activity by the Storm Worm crew lately. It seems they have continued to move their criminal empire into targeting banking information. This time there are two new domains:

i-barclays.com
i-halifax.com

These domains are on the fast flux network and hosting phishing scams looking to rip you off. There’s a good brief posting about here from us at Shadowserver:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080108

It seems Fortinet had initially picked it up and SC Magazine has run a pretty good article with them that can be found in the above URL. Be on the look out for these and others that follow.

The other day while searching some of the Storm Worm domains, I found myself clicking onto a link to the website http://bsn.borderware.com. As it turns out, it’s a pretty interesting little site. Their website displays snapshots and statistics in a number of different categories. A quick summary right from their website say that “The BorderWare Security Network (BSN) is a real-time reputation service that monitors and identifies threats across multiple Internet communication protocols.” On the website you can get a top 10 for Zero Hour Threats, Recent Offenders, Most Wanted, Top Phishers, Top Spammers, and Virus Senders. You can also look up IP addresses and domains to check their reputation as the BSN has it.

The most interesting of the Top 10 lists it has is the “Top Phishers” list. The name itself is a bit of a misnomer. The list that appears under this list is actually the most frequent domain names in phishing and spam e-mails that they have seen. It should be no surprise that the last few Storm Worm domains have appeared as #1 or #2 every time I check their website. Other similar services are the Internet Storm Center’s Top 10 and ATLAS from Arbor Networks. However, neither of these will give you a list of some of the most frequently seen mass e-mailed domain names, which is an interesting statistic to see.

If you know of any other similar services that you use or provide, please feel free to share them via comments or by e-mailing me [steven[AT]securityzone.org].

Ever find yourself on a webpage that says “66.1 Host Locked” on it and it has “209″ as the title? Did you get there while investigating a phishing scam? Well, you have found yourself onto a server associated with Rock Phish and the Rock group. Now you might be wondering what Rock Phish is exactly. Well Rock Phish is one of the most prolific and successful phishing schemes on the Internet — estimated to have bilked people out of millions and millions of dollars. This scam and group targets anyone and everyone that they can dupe into giving them their personal banking information. See this Wikipedia article for a little more information on it.

Rock Phish works by having servers that are hacked/infected act as proxy hosts to a back end server that houses various phishing scams and collects the data for the bad guys. Rock Phish uses domains that usually do not look anything like what you would expect a bank to use. Take a look at a few examples of recent Rock Phish domains:

4rrt.es
fjuw33.xz.cn
idll44.ph
njexnz1.com
port1954.com
port1954.hb.cn
reon1.mobi

These are domains used and registered by the group and not just random compromised websites with funny domains. Not exactly material that would fool the average person is it? However, the way the DNS is setup, anything can precede one of these domains, and the URLs are spammed out to look like whatever banking institution they are targeting. Let’s use two recent examples from the idll44.ph server. These are the links that were sent out as part of the phishing scam attempt:

http://citizensbankmoneymanagergps.com.idll44.ph/securepage/challenge.aspx?session=2421674313279551514843902175
http://sparkasse.at.idll44.ph/casserver/form?service=00877096821427050702537048427206410187983854537763746

They look pretty different, but they are really being handled by the same compromised proxy server. The first part of the subdomain is designed to look like the bankng institution they are targeting. The rest of the URL following the TLD is also made to attempt to emulate something you might see on the legitimate site. Then of course - the last piece - the website itself looks identical to the bank and will usually actually do a redirect to the real bank once you have filed out the information they want.

Now quickly back to the original part of the post. If you navigate yourself to the root of this domain you will see a seemingly fake error message that says “66.1 Host Locked”. Some people seem to think this replaced the old message use by the group that said “209 Host Locked”. Well this just isn’t true. This is a different server being utilized. The previous server used to give this message and then changed to that had a page about “R11.com”. It appears this server is down and this one has replaced it.

Finally, not only does it appear the group is doing phishing attacks just for information, it appears they have moved into the real of attempt to infect machines as well. Last week Websense reported that the group spammed out e-mails that linked to pages that look just like the YouTube website. However, the website would attempt to get you to download a file called “install_flash_player.exe” and then start doing some extra stuff. Feel free to read more ont he Websense link at http://www.websense.com/securitylabs/alerts/alert.php?AlertID=818

Just a heads up to those of you out there. These people are successful because people keep falling for this stuff. Happy browsing.