As reported by a number of different sources, Google’s primary web property in Vietnam (www.google.com.vn) had its DNS abused by an individual (or individuals) claiming affiliation with Lizard Squad.
Based on the DNS queries over the past 2 days, we noticed that the DNS infrastructure changed from the expected Google name servers (ns1.google.com, ns2.google.com) to CloudFlare (184.108.40.206, 220.127.116.11). This was identified using OpenDNS Investigate and corroborated by several other publicly available tools. Though only a brief redirection, visitors to the legitimate www[.]google[.]com[.]vn site were surreptitiously redirected to a DigitalOcean-hosted server with the following message:
A DigitalOcean IP served as the endpoint for the hijacked site and, according to MaxMind, was located in the Netherlands – at least until it was taken down.
What’s interesting is that the IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001.
Prefix description: DigitalOcean
Country code: NL
Origin AS: 202018
Origin AS Name: DOAMS3 — DigitalOcean Amsterdam
RPKI status: No ROA found
First seen: 2014-08-13
Last seen: 2015-02-23
Seen by #peers: 170
We’re not sure if this was an attempt to “confuse” network analysts and legacy tools or if this was simply a case of “we don’t care what IP address we get as we’re mapping a domain name to it”.
The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests.
We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server. In close we’d also like to give kudos to CloudFlare for their diligence in coordinated the taken down of this fraudulent site shortly after the redirect was detected.
OpenDNS has received numerous questions about the Invincea “Fessleak” report. We have been tracking this “actor”, who went by the name of Michael Zont, for several months, and saw a major uptick in previous weeks. The name “Fessleak” actually comes from the actor’s email address (fessleak@qip[.]ru) used to register the domains.
OpenDNS first became aware of malicious activity around this registrant in April 2014 starting with the creation of prosoknf[.]com, and began an active monitoring campaign to identify, and block, any domains registered by “Fessleak”. Using various techniques such as WhoIs monitoring, the OpenDNS Investigate tool, and our Spike Detection Algorithm (SDA), we were able to keep pace with the deployment of nefarious websites with almost real-time speed, including the sites in the aforementioned report.
Sites we were first monitoring appeared mainly geared towards the hosting of more common types of malware and exploit kits such as Angler, Kovter, and Rig (ex: prosoknf[.]com). More recently, we noticed a shift into forms of malvertising (ex: tunim[.]net and podin[.]net), with the most recent iterations hosting Flash ‘zero day’ exploits (ex: retilio[.]net). These domains were used for a short amount of time, usually in the way of just a few hours, and then discarded, showing no signs of re-use later.
All sites monitored were hosted on Peer1 Networks (AS 13768) and registered under PDR LTD.
The following images provide some insight into the traffic patterns of domains we were tracking during this campaign.
The complete list of domains tracked during this campaign are shown below. All of the following link to the respective OpenDNS Investigate analysis for each tracked domain. These allow customers can view the full analysis of the campaign information:
The following image is a screenshot of the Fessleak domains as graphed in OpenGraphiti.
Towards the end of 2014 we noticed, on average, two domains registered every 1-2 days. However, since the Invincea report came out, the actor has not registered any new domains using this email address.
Photo source: https://www.flickr.com/photos/sfxeric/4086743445/
Phishing is a frequent topic of conversation in the media, but what exactly is it?
Phishing is the attempt to trick a victim into providing sensitive information such as usernames, passwords, credit card and banking information or other private data through the use of a realistic-looking email that appears to come from a legitimate website or business. The general idea behind a phishing attack is to entice a victim into clicking a link, much like a fisherman attempts to catch a fish with a lure on a hook. Once a victim falls for this and clicks a link in a phishing email, they may be directed to a seemingly legitimate website where they are prompted for information or to download malicious software.
While the majority of phishing attacks are not personalized and are sent to as many potential victims as possible, targeted phishing also occurs. Targeted phishing uses known information about a recipient to better convince them into providing credentials. A well-crafted targeted phishing attack can defeat even the best security controls if an attacker is able to collect highly-privileged login credentials.
To better understand how phishing attacks are conducted and how they sometimes convince end-users to type credentials into legitimate-looking websites, we will walk through some recent examples of advanced phishing attacks seen by OpenDNS Labs.
On January 26th at 11:15pm UTC, OpenDNS Security Labs detected multiple domains created to impersonate a Paypal website for use in an email phishing campaign and personal information harvesting.
One of the primary websites (redirectly-paypal[.]com) was registered on January 25th, 2015 through Wix.com based on nameserver information (or possibly registered at Network Solutions, Inc. and then transferred to Wix.com’s nameservers). One of the fraudulent domains (security-paypal-center[.]com), which has been dormant since its expiration in 2005, was re-registered January 22nd, 2015 – again through Wix.com. We also found a few other Paypal related spoofing domains that we display below: x-paypal.com, securitycheck-paypal.com, paypalinspection.com, area-paypai.es, and many more (not shown).
Based on the auto generated privacy email within the registrant’s WHOIS information (Figure 1), we can ascertain that both domains were registered at the same time – likely on the same transaction.
The fraudulent Paypal websites (Figures 2, 4, 5, 6, and 7) are virtually indistinguishable from the legitimate PayPal.com site (Figure 3).
In fact, the fraudulent site borrows much of its image, text, and color scheme from the real site.
In this image, we see attention to detail in presentation, but with the odd domain name, x-paypal[.]com. An untrained observer might not notice and actually follow through with entering credentials.
We saw that this was registered with ENOM INC., a registrar that consistently came up when investigating these typo-squatting domains:
The next image is an example of a slightly more sophisticated attack, in which the attackers copied HTML code directly from the legitimate PayPal[.]com in order to set up their own realistic phishing website. Additionally, the domain, securitycheck-paypal[.]com might lead a less observant user to avoid questioning its legitimacy.
The following phishing attempt is spoofing an Apple ID Verification page at the domain paypalinspection[.]com. While the services that PayPal and Apple offer are unrelated, it’s possible the the unobservant user could fall for this and enter their Apple ID credentials.
In following attempt, there is less attention to detail in the replication of the PayPal login page. It uses some original content pulled from actual PayPal servers, but is in Spanish while being sent to English-speakers. Additionally, the domain, area-paypal[.]es is fairly far-removed from paypal[.]com. A potential victim of this phishing attempt would hopefully notice something isn’t right before continuing.
The following information was surfaced by our OpenDNS Investigate product and shows the global query traffic, registrant, and IP information for the aforementioned domains:
Both domains are hosted with CyrusOne LLC (http://www.cyrusone.com/), a provider of global datacenter facilities for colocation of servers. The company boasts customers such as CarFax.com, Dell, Enbridge Energy Company Inc., and Rent-A-Center. A quick look at the Autonomous System (AS) number associated with CyrusOne (AS20013) shows a number of similarly fraudulent PayPal-related domains. Some examples include:
OpenDNS has reported these domains to PayPal. We have received confirmation that its fraud and abuse department is currently investigating and working to take them down. In the meantime, OpenDNS has blocked access to these domains for all users of our DNS infrastructure.
These attacks are not new, but they are beginning to look more legitimate with every iteration. Companies like Wix.com make it trivial to create a professional looking site these days – and the attackers have noticed. All users should remain diligent when surfing the Internet, clicking on links in emails, and opening attachments. The difficulty of identifying the validity of these websites visually will soon be untenable.
OpenDNS Security Labs specializes in developing anomaly detection models to identify different types of attacks. For this particular algorithm we utilized natural language processing techniques such as a fuzzy substring matching, and a modified Levenshtein distance to check for the word distance between legitimate and typosquatting domains (ex. malware.com vs. rnalware.com, linkedin.com vs. 1inkedin.net, ). We also leveraged SecurityGraph’s vast amount of data to investigate different types of attacks in our user’s DNS data. For example, we built up an ASN map of all legit domains mapping to their appropriate ASNs (ex. Google->ASN 36492 ).
This idea was previously outlined in the DarkHotel blog. In addition we mined these adversarial domains’ WHOIS records to extract patterns. When registering a domain on internet, registrants typically have to provide information about the entity registering the domain. One of the ways we are able to track these adversary syndicates is mining their WHOIS records for patterns. Searching the WHOIS database for registrant information among these domains, a common denominator that was noticed was the use of Perfect Privacy, LLC.
Using privacy protection is nothing new, yet does add another layer of obfuscation. The use of this particular privacy provider accounted for a majority of the more sophisticated sites that were identified, leading to the theory the same actor(s) were involved in the production of these sites. We also found that many of these domains were created/registered very recently, some within the past couple days, most within the couple months.
Some of the indicators to look out for to make sure you don’t fall victim to this type of attack is to verify that the site is using HTTPS and a legitimate SSL Certificate from the organization you are visiting. All of the spoofed sites we saw served their content over HTTP, which is highly uncommon for money transfer sites.
Other items to notice are variations in the layout from the legitimate site. The original phishing email could also provide clues as to its authenticity. If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing. A more advance user may want to review the headers of an email, tracing the path to determine if it was spoofed to look as if it is coming from another location.