Monday, July 3, 2017

DOMAIN $HADOWING: Sorting Victims from Actors

More GOOGLE $EO Rabbitholin' fun...


Threat Hunting & Rabbitholin' are a lot like the "Choose your own adventure" books we had as kids (late 70s/early 80s). Before access to video games, Internet & most modern electronics we had books/words and our brain. We were the CPU and we processed the programs/code (books) but made it dynamic (and arguably more valuable) with our logic, reasoning and choices made in order to get the "best" ending or result.

Let's use the same methodology used in "experiencing" the old-school CYOA books to rabbit-hole for threats. We will also use similar methodologies from the last BLOG POST "GOOGLE $CAMS: $EO VooDoo".

1. SEARCH GOOGLE FOR TOPIC OF INTEREST. Here's the first choice you have in this adventure! Let's try to find links to a rogue Android APK download for a "Wells Fargo" branded mobile application (using the search terms below along with the PAST 24 Hours search parameter):

download wells fargo bank app android


 2. EXAMINE THE GOOGLE SEARCH RESULTS ...
When checking the results you should be looking for any anomalies and/or anything that doesn't look 'normal'. In our results...the 2nd result looks odd...

SEARCH RESULT:
[DOC] Ellens emoji exploji itunes - 18 hours ago

CLICKING LINK LEADS TO:
hXXp://wffw[.]jenniferashe[.]net/BQ




 3. CLICK ON THAT LINK!!
Be sure you are using a safe environment to do your research and not infecting yourself unintentionally. Unsafe Rabbitholin' should be avoided unless that is yer intent! On to the clickin'...




Upon clicking the link we are presented with a familiar looking animated loading splash page (from our previous BLOG POST):


Meanwhile, in the background, the browser is being redirected to multiple websites (through a redirect chain) where eventually we will end up on a landing page of unknown intent, content & threat level. Guess we'll find out any second now!


 OMFG!@#$ "Your Browser have been hijacked or hacked."
-------------------------------------------------------------------------------------

FINAL LANDING PAGE:
hXXp://www[.]plaza-place-on[.]us/

 SCAREWARE & FAKE TECH SUPPORT SCAMS!     
-CLICK TO ZOOM-
"Windows Firewall Security Damaged by Exploit.SWF.db Virus. A Suspicious Connection Was Trying To Access Your Logins, Banking Details & Tracking Your Internet Activity. Windows Security Center & Firewall Sevices are Disabled. Error Code 0x8024402c.

 WARNING! Your Hard drive will be DELETED if you close this page. You have a ZEUS virus! Please call Support Now!. Call Toll-Free:+1-(866)-331-7691 To Stop This Process"

NEW DATA POINTS OBSERVED:
Exploit.SWF.db
0x8024402c
1-(866)-331-7691
www[.]plaza-place-on[.]us


4. REVIEW THE REQUEST SEQUENCE/REDIRECT CHAINS
We will now examine the sequence of events & connections from the initial request to the final loading of the view from plaza-place-on[.]us.


302 hXXp://wffw[.]jenniferashe[.]net/BQ
IP ADDR: 95.211.230[.]116

302 hXXp://xmlfeed[.]info:8080/click?
IP ADDR: 216.172.56[.]21

302 hXXp://64.15.72[.]104/click[.]php?
IP ADDR: 64.15.72[.]104

302 hXXp://64.15.72[.]104/click_second_new3[.]php
IP ADDR: 64.15.72[.]104

302 hXXp://go[.]quali-bid[.]com:17777/click[.]php?
IP ADDR: 64.15.72[.]46

200 hXXp://www[.]metal-rewards[.]us/
IP ADDR: 198.54.115[.]15

200 hXXp://www[.]plaza-place-on[.]us/
IP ADDR: 198.54.115[.]15
NEW DATA POINTS OBSERVED:

UNIQUE HOSTS
wffw[.]jenniferashe[.]net
xmlfeed[.]info:8080
64.15.72[.]104
go[.]quali-bid[.]com:17777
www[.]metal-rewards[.]us
www[.]plaza-place-on[.]us

 UNIQUE IP ADDRS
95.211.230[.]116
216.172.56[.]21
64.15.72[.]104
64.15.72[.]46
198.54.115[.]15


!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

So...where do we go from here? We definitely have several NEXT PIVOT data points, and where you begin is totally up to you (with the goal being, of course, to not get lost in the rabbit-hole). Today, I will start with WHOIS/IP Lookups of the the INITIAL REQUEST URI and the FINAL LANDING PAGE presented and then move on from there...

STEP 1 - WHOIS/IP LOOKUPS FOR 'JENNIFERASHE[.]NET'

HOST: wffw[.]jenniferashe[.]net
NSLOOKUP: 95.211.230[.]116
ASN: AS60781 (LEASEWEB NL)

DOMAIN: jenniferashe[.]net
NSLOOKUP: 50.62.248.1
ASN: AS26496 (GO-DADDY-COM-LLC Scottsdale US)

 WHOIS: https://www.whois.com/whois/jenniferashe.net

Registrar URL: http://www.godaddy.com
Registrant Name: John Mekrut
Registrant Organization: The Balanced Brain
Name Server: NS05.DOMAINCONTROL.COM
Name Server: NS06.DOMAINCONTROL.COM


 WEBSITE SNAPSHOT FOR 'JENNIFERASHE[.]NET':

It appears this default 'Hello world' webpage was updated on 5/30/2017) using the Wordpress framework.

<title>Tips for today &#8211; Just another WordPress site</title>

<a href="http://jenniferashe.net/2017/05/30/hello-world/">Hello world!</a>


------------------------------------------------
STEP 2 - WHOIS/IP LOOKUPS FOR 'PLAZA-PLACE-ON[.]US'

DOMAIN: plaza-place-on[.]us
NSLOOKUP: 198.54.115[.]15
ASN: AS22612 (NAMEC-4 Los Angeles US)

 WHOIS: https://www.whois.com/whois/plaza-place-on.us

 Registrant Name: Aniket Kumar
Registrant Email: kaniket239@gmail.com
Registrant Organization: Microlive
Name Server: DNS1.NAMECHEAPHOSTING.COM
Name Server: DNS2.NAMECHEAPHOSTING.COM

DEJA-VU! We just saw this ACTOR in our last rabbitholin' adventure where traffic was being driving to another malicious page ON THE SAME IP ADDRESS: big-shot-seller[.]us.


------------------------------------------------
STEP 3 - QUICK DIVE INTO THE 'WFFW[.]JENNIFERASHE[.]NET/BQ WEBSITE

SNAPSHOT OF WEBPAGE WITHOUT MALICIOUS CODE LOADING
(NOTE: This version of site is from GOOGLE CACHE)


Now let's look at the source code...














NEW DATA POINTS OBSERVED:
Taking a look at the source code reveals more URLS, DOMAINS & POSSIBLY ADDITIONAL 'DOMAIN SHADOWING' VICTIMS.

 ADDITIONAL 'DOMAIN SHADOWING' URLS/DOMAINS!!
hXXp://kdy[.]neurolibrium[.]co/HD5U
hXXp://sjq[.]bodiesinbalance[.]com/006
hXXp://wue[.]foundrytheatreworks[.]com/IP
hXXp://kkfp[.]neurolibrium[.]org/297
hXXp://ncbw[.]neurolibrium[.]net/Me4U
hXXp://ctu[.]bodiesinbalance[.]com/3660
hXXp://vxkt[.]neurolibrium[.]co/6jK76
hXXp://wbmb[.]mekrut[.]com/AX
hXXp://lzlc[.]neurolibrium[.]net/02
hXXp://nmdg[.]foundrytheatreworks[.]org/7
hXXp://muav[.]bodiesinbalance[.]com/ZJ


 NEW DOMAIN DETECTED (BUYSOFTWAREAPPS[.]COM)!!
hXXp://www[.]buysoftwareapps[.]com/shop/itunes-2/ellens-emoji-exploji-warner-bros/

BUY! Button links to:
hXXps://itunes[.]apple[.]com/us/app/ellens-emoji-exploji/id1137689929?mt=8&uo=2&at=11lrD2

Is this Affiliate Fraud?!?! NEW RABBITHOLE DETECTED!


AND HERE'S THE "ELLEN EMOJI EXPLOJI ITUNES" CONNECTION FROM THE ORIGINAL SEARCH RESULT:
[DOC] Ellens emoji exploji itunes - 18 hours ago



!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

This rabbit-hole is starting to get a bit crazy. Let's re-group and analyze our current finds and plan the next couple of steps. To review...

1. Searching for Wells Fargo Android mobile app on GOOGLE leads to suspicious LINK.

2. Clicking on suspicious LINK leads to possible malicious traffic rotators/directors...

302 hXXp://xmlfeed[.]info:8080/click - 216.172.56[.]21

302 hXXp://64.15.72[.]104/click[.]php - 64.15.72[.]104

 302 hXXp://go[.]quali-bid[.]com:17777/click[.]php? - 64.15.72[.]46
3. ...where these Traffic Rotators/Directors lead the user to websites where SCAREWARE/FAKE TECH SUPPORT content is loaded to user.

So far...some scary looking stuff but nothing major. Let's go for more INFO GATHERING around the original suspicious LINK and see if we can't hook into something juicier!

NEXT STEPS:
Re-crawl the original URL four more times to generate additional interesting finds (Drive-by Malware, APK downloads, Spearphishing, etc).


 STEP 5 - RE-CRAWL THE INITIAL URL
Below we will document the process and our findings into the 4 new requests made to the 'hXXp://wffw[.]jenniferashe[.]net/BQ' webpage. This INFO GATHERING will provide us with additional data points around the observed "SEO Campaign(s)".

------------------------------------------------

REQUEST #1 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 4 different domains and then to the final landing page below.

FINAL LANDING PAGE:
hXXp://www[.]autopartswarehouse[.]com/linkshare/?apwcid=G1225939187W491258f3acead&siteID=dWQsD5Zt_Zs-o.uT.

REDIRECT SEQUENCE:
1. go[.]quali-bid[.]com:17777 | 64.15[.]72[.]46

 2. brightisles[.]com | 173.214[.]175[.]106

3. droppricealert[.]com | 206.72[.]207[.]253

4. click[.]linksynergy[.]com | 34.198[.]100[.]55





NEW DATA POINTS OBSERVED:
brightisles[.]com
droppricealert[.]com
click[.]linksynergy[.]com
www[.]autopartswarehouse[.]com
173.214[.]175[.]106
206.72[.]207[.]253
34.198[.]100[.]55
184.85.194[.]231


POSSIBLE AFFILIATE FRAUD DETECTED!!
More research is needed but there could be Affiliate Partner Information in the observed URL and delivered COOKIES, indicating possible fraudulent activity.




"Auto Parts Warehouse is an American online retailer of automotive parts and accessories for cars, vans, trucks, and sport utility vehicles."

 Parent organization: U.S. Auto Parts
Headquarters: Carson, CA
Founded: 1995


------------------------------------------------
REQUEST #2 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 3 different domains & 1 IP ADDR and then to the final landing page below.

FINAL LANDING PAGE (truncated):
hXXp://internet4[.]revieworbit[.]com/?isp=Comcast%20Cable%20Communications%20inc.&country=US&utm_source=Advertise.com&utm_content=46355-7337_243187&utm_term=&utm_campaign=us&utm_medium=e56-2-4-aa-72&voluumdata=BASE64dmlkL&affsub=46355-7337_243187&terms_html=ellens%20emoji%20exploji%20itunes&terms_html_kw=ellens%20emoji%20exploji%20itunes&xsite=xsite}&epc=0.0130&sid=1499039022595_1499039007225_114_624_61407805_1

REDIRECT SEQUENCE:
1. xmlfeed[.]info:8080 | 216.172.56[.]21

2. 64.15.72[.]104 | 64.15.72[.]104

3. ml8730[.]com | 38.107.161[.]250

4. track[.]spdtrck[.]pro | 52.86.58[.]112

NEW DATA POINTS OBSERVED:
xmlfeed[.]info
ml8730[.]com
track[.]spdtrck[.]pro
internet4[.]revieworbit[.]com
216.172.56[.]21
64.15.72[.]104
38.107.161[.]250
52.86.58[.]112

 SURVEY/SCUMWARE DETECTED!!
More research is needed but there could be RISK in clicking buttons on the site (completing the Survey is not recommended).



QUICK OSINT LOOKUP:
Lookup top referrals and destination sites using Similar Web.

TOP REFS TO REVIEWORBIT[.]COM:
kissanime[.]ru
vq40567[.]com
vq78391[.]com
wd15303[.]com
credittipstoday[.]com

 TOP REFS/DESTS FROM SIMILARWEB:
https://www.similarweb.com/website/revieworbit.com#referrals













------------------------------------------------
REQUEST #3 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 3 different domains & 1 IP ADDR and then to the final landing page below.

FINAL LANDING PAGE:
hxxp://vitalworldnews[.]com/ob/?AffiliateReferenceID=1499026682299_1499026669282_121_71828_59656669_1

REDIRECT SEQUENCE:
1. xmlfeed.info:8080 | 216.172.56[.]21
2. 64.15.72[.]104 | 64.15.72[.]104
3. ml8730[.]com | 38.107.161[.]250
4. vitalworldnews[.]com | 104.198.183[.]107
QUICK PIVOT - OUTBRAIN DETECTED!:
<div class="OUTBRAIN">
http://widgets.outbrain.com/outbrain.js


NEW DATA POINTS:
xmlfeed[.]info:8080
ml8730[.]com
vitalworldnews[.]com
widgets.outbrain[.]com
216.172.56[.]21
64.15.72[.]104
38.107.161[.]250
104.198.183[.]107
23.216.80[.]58

------------------------------------------------
REQUEST #4 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 2 different domains & 1 IP ADDR (then to unknown destination) and then to the final landing page below.

FINAL LANDING PAGE:
hXXps://www[.]amazon[.]com/VideoSecu-ML531BE-Monitor-Articulating-Extension/dp/B000WYVBR0?
psc=1&SubscriptionId=AKIAJ2AME6KQOPD23XQQ&tag=alwaysfishertoys-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B000WYVBR0

REDIRECT SEQUENCE:
1. 64.15.72[.]104 | 64.15.72[.]104
2. go[.]quali-bid[.]com:17777 | 64.15[.]72[.]46
3. brightisles[.]com | 173.214[.]175[.]106
4. UNKNOWN



AMAZON AFFILIATE PARTNER FRAUD?:
alwaysfishertoys-20



!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

Before closing out this investigation, let's make a quick OSINT check into this "alwaysfisthertoys-20" Amazon Affiliate Partner.

1. Google search for the following:
alwaysfishertoys



2. Clicking on the GOOGLE SEARCH RESULT shown above loads the following website:
hXXp://saginawcounty[.]com/n1site/apps/LeaveSite.aspx?url=alwaysfishertoys.com%2Fs%3Fsearch%3Dmanual%2Bjuice%2Bpress%2BB01KKD1R0S

 What the shit is this? Looks like someone is trying to drive traffic to Amazon for financial gain!



"You are about to be redirected to another site. If this does not happen automatically in 5 seconds, click the link below."



REDIRECT LEADS TO:
hXXp://alwaysfishertoys[.]com/s?search=manual+juice+press+B01KKD1R0S




WHICH LINKS TO:
https://www.amazon.com/Chef-Kitchen-Tools-Manual-Juicer/dp/B01KKD1R0S?SubscriptionId=AKIAJ2AME6KQOPD23XQQ&tag=alwaysfishertoys-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B01KKD1R0S







------------------------------------------------------------------

LAST QUICK OSINT CHECK - SIMILARWEB (ALWAYSFISHERTOYS.COM)
Notice the previously observed domain 'brightisles[.]com' is on the TOP 5 REFERRING SITES list! There's some connections to be made round these here rabbitholes...but for now...


(https://www.similarweb.com/website/alwaysfishertoys[.]com#referrals)

 ------------------------------------------------------------------
!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

I choose to take a carrot break here. That'right...we're all done for now. Until next time...


Posted by at No comments:

Saturday, July 1, 2017

GOOGLE $CAMS: $EO VooDoo

Making money with Black Magic!














This investigation will utilize the following techniques...

A. Search Google with terms of interest and look for signs of malicious intent/anomalies
B. Investigate search results deeper for info gathering purposes
C. Pivot on Items of Interest, Indicators of Compromise/Association/Anomalies
D. Create Summary of Findings report and complete investigation

Using these techniques with your own skills/methodology will result in actionable intelligence that can 'tell a story' around an area of interest. Your results will depend on your own creativity, time boxing & toolsets/datafeeds available.

*theLostRabbit approaches rabbithole cautiously*

A. Choose area of interest for search topic.

Let's dive into a "Make money fast" rabbithole if we can. Using GOOGLE SEARCH we will search for the following terms (using the PAST 24 HOURS advanced search parameter)...

make money fast and easy



Now let's look at the results. Ooh. The second result looks interesting...

Simple witchcraft spell to gain money in one night
hXXp://midalva[.]se/kcg/Xgf

That URL definitely seems promising. Should we click it? Absolutely!

----------------------------------------------------------------------

B. Analyze results & perform INFO GATHERING...

Let's click that link from above and see where the rabbithole takes us.

Loading Screen...









WHOOPSY! SCAREWARE / FAKE TECH SUPPORT!!
Who's voice is that? You have my Facebook login? My bank account?! OMFG!@#$

LANDING PAGE: hXXp://www[.]big-shot-seller[.]us/
IP ADDR/ASN: 198.54.115[.]15 / AS22612

NEXT PIVOT ITEMS:
  • 1-866-331-7691
  • Error # 268D3
  • 198.54.115[.]15
  • big-shot-seller[.]us


Examining the redirect sequence - what the hell just happened?

Taking a look at the code at hXXp://midalva[.]se/kcg/Xgf and we can validate what connections have occurred...

Using the 'Developer Tools' of the browser we can identify dependent requests made during initial page load...

hXXp://zxb[.]krabns[.]com/be7a481cd.js?r=https%3A%2F%2Fwww.google.com%2F%3Fq%3Dnight%26qtk%3D1&page=http%3A%2F%2Fmidalva.se%2Fkcg%2FXgf&ti=98222&tg=42075,



Code loading from zxb[.]krabns[.]com is injecting unwanted content into the view and redirecting the browser to mobilezone24[.]com which then redirects to big-shot-seller[.]us (our SCAREWARE/FAKE TECH SUPPORT landing page).

NEXT PIVOT ITEMS:
  • zxb[.]krabns[.]com
  • mobilezone24[.]com


NEXT STEPS in INFO GATHERING:

Let's connect to our original link (hXXp://midalva[.]se/kcg/Xgf) again using different browsers and maybe a different GEOGRAPHICAL LOCATION (using Proxy Services, VPN or TOR to randomize your source IP address). This may yield different results and landing pages (more info gathering!).


 REQUEST #1 SEQUENCE:
Upon loading our original link, we are presented with an animated loading page (I will provide additional variations of loading pages below) and then directed through a 302 redirect chain and sent to www[.]kimlostlovespells[.]com.
Click to ZOOM!
                       FINAL LANDING PAGE:
http://www.kimlostlovespells.com



NEXT PIVOT ITEMS:
  • Spells with Results
  • by Professor Ali Khim
  • WhatsApp/Phone: +256703106587
  • kimlostlovespells[.]com
  • 64.237.55[.]221
  • meta[.]7search[.]com
----------------------------------------------------------------------

REQUEST #2 SEQUENCE:
Yikes! More SCAREWARE/FAKE TECH SUPPORT! Redirect chain/sequence info below...

Redirect chain for Request #2:
302 - zxb[.]krabns[.]com/be7a481cd.js?
302 - xmlfeed[.]info:8080/click?node=54&
302 - 64.15.72[.]104/click.php?go=aHR0cD
302 - 64.15.72[.]104/click_second_new3.php
302 - go[.]quali-bid[.]com:17777/click.php?
302 - singlesmatch[.]xyz/clicktracker-qualibid.php
302 - 52.25.80[.]191/1-844-284-7333/
301 - 52.25.80[.]191/1-844-284-7333/chrm
200 - 52.25.80[.]191/1-844-284-7333/chrm/
NEXT PIVOT ITEMS:
  • 1-844-284-7333
  • Error # 268D3
  • 54.52.120[.]211
  • xmlfeed[.]info
  • 64.15.72[.]104
  • go[.]quali-bid[.]com
  • singlesmatch[.]xyz
  • 52.25.80[.]191
----------------------------------------------------------------------

REQUEST #3 SEQUENCE:
Here we end up at bing.com and results for the search terms:

simple witchcraft spell to gain money in one night

No Micro$oft rabbitholin' for me (for the moment)...I'm out!


NEXT PIVOT ITEMS:
You could gather the URLS and domains from top search results and perform whois & OSINT lookups to gain more infos.

----------------------------------------------------------------------

OTHER OBSERVED LOADING SPLASH PAGES:
             




C. NEXT PIVOT ITEMS: Reverse Lookups, OSINT & Making Connections!

We now have a nice list of data points to look into as a next step. Where do we start? Which info do we dive into first? Let's organize a quick list of all of our data...

GROUP 1:
1-866-331-7691
Error # 268D3
198.54.115[.]15
big-shot-seller[.]us

 GROUP 2:
zxb[.]krabns[.]com
mobilezone24[.]com

 GROUP 3:
Spells with Results
by Professor Ali Khim
WhatsApp/Phone: +256703106587
kimlostlovespells[.]com
64.237.55[.]221
meta[.]7search[.]com

 GROUP 4:
1-844-284-7333
Error # 268D3
54.52.120[.]211
xmlfeed[.]info
64.15.72[.]104
go[.]quali-bid[.]com
singlesmatch[.]xyz
52.25.80[.]191

---------------------------------------------------------------

And now let's start with the first group and pick 1 or 2 data points...do a quick reverse lookup, gather new infos and then move on to the next group and pick another data point.

So we will now start with GROUP 1...

DOMAIN: big-shot-seller[.]us

1. WHOIS LOOKUP: https://www.whois.com/whois/big-shot-seller.us

Name: Aniket Kumar
Organization: Microlive
Email: kaniket239@gmail[.]com

 Address/Phone:
5701 Yatchman Ct
Brown Summit, NC 27214
+1.8669556652

PIVOT ON EMAIL ADDR: kaniket239@gmail[.]com

RESULTS (BLACKLISTED DOMAINS ASSOCIATED WITH EMAIL ADDR):
card0-us0-reaward[.]us
click-thru-obi-28[.]us
error-activation-0xc0000433[.]us
error-go-sites-get-code-0x00003121[.]us
error-recovery-0xc0000524[.]us
fast-rew0r0ds-away[.]us
gifts-online-get[.]us
in-rew00rds-prog0am[.]us
perfect-rew0fard-web[.]us
rewa0rds-we0b-off[.]us
us-breaking-news[.]us
us-news-express[.]us
windows-error-page-report[.]us
windows-online-reporting-error-0xc00000361[.]us
windows-security-alert-error-code[.]us
windows-web-security-error[.]us
windows-error-server-0xc0000617[.]us

20 MORE RECENTLY OBSERVED DOMAINS ASSOCIATED WITH EMAIL ADDR:
name-blue-ribs[.]us
silver-jsr-pot[.]us
four-who-gone[.]us
greek-name-get[.]us
film-on-kite[.]us
green-popular[.]us
violet-pee-on[.]us
bulb-maze-art[.]us
match-like-pic[.]us
walk-out-show[.]us
active-on-road[.]us
wind-on-vibe[.]us
flap-mud-pen[.]us
curtain-glow-fit[.]us
grey-portal-kite[.]us
button-case-fill[.]us
tape-cover-ample[.]us
relation-off-leg[.]us
glass-convect-case[.]us
ballot-box-pix[.]us

---------------------------------------------------------------

Now moving on to GROUP 2...

HOST: zxb[.]krabns[.]com

1. WHOIS LOOKUP: https://www.whois.com/whois/krabns.com

Name: Whois Agent
Organization: Domain Protection Services, Inc.
Email: krabns.com@protecteddomainservices.com

 Address/Phone:
PO Box 1769
Denver, CO 80201 US

 Phone: +1.7208009072
Fax: +1.7209758725

--------------

2. IP Lookup on host: 46.165.242.136 (AS28753 Leaseweb Deutschland GmbH)

PIVOT ON IP ADDRESS (20 ADDITIONAL ASSOCIATED SUBDOMAINS RECENTLY OBSERVED):
axg[.]krabns[.]com
br[.]krabns[.]com
cfje[.]krabns[.]com
ch[.]krabns[.]com
dk[.]krabns[.]com
fet[.]krabns[.]com
il[.]krabns[.]com
jkbd[.]krabns[.]com
kec[.]krabns[.]com
lpp[.]krabns[.]com
nnoi[.]krabns[.]com
qzp[.]krabns[.]com
seiy[.]krabns[.]com
tbvw[.]krabns[.]com
tsu[.]krabns[.]com
uo[.]krabns[.]com
vfsj[.]krabns[.]com
xnxe[.]krabns[.]com
yuzh[.]krabns[.]com
zxb[.]krabns[.]com

4 HOSTS/DOMAINS OBSERVED ON SAME IP BUT FROM DIFFERENT DOMAINS:
contmritirc[.]myvnc[.]com
coultretmig[.]serveftp[.]com
ns1[.]luddns[.]com
anew[.]noip[.]me

---------------------------------------------------------------

Diving in to GROUP 3 and an observed domain name....

DOMAIN: kimlostlovespells[.]com

Name: KHIM CASTER
Organization: KHIM SPELLS
Email: tmaniac68@gmail[.]com

Address/Phone:
BAY AREA CALIFORNIA
SAN FRANSCISCO, CALIFORNIA 94101 US
+1.4157621722

QUICK PIVOT ON EMAIL ADDR (ADDITIONAL ASSOCIATED DOMAIN NAMES):
africanexperiencesafaris[.]com
bagempireshopping[.]com
bestmagicandspells[.]com
cashmoneytemplates[.]com
cocaweu[.]org
core-initiativeug[.]org
glatteegroup[.]com
greatspellcaster[.]com
illuminatimasters[.]com
ingwegroup[.]com
kimlostlovespells[.]com
love-lovespells[.]com
lovespells-caster[.]com
lovespellsandrituals[.]com
lovespells-psychic[.]com
lovespellskim[.]com
mamahajaraspells[.]com
nativelovespells[.]com
powerfulnativespells[.]com
profmamafahimah[.]com
profmamahamidah[.]com
realspellsandmagic[.]com
sodexelectronics[.]com
soullightmin[.]org
spellsdoc[.]com
spellshome[.]com
tech-fanatic[.]com
ugacep[.]org

---------------------------------------------------------------

And finally, GROUP 4...

HOST: go[.]quali-bid[.]com


HOST/SUBDOMAIN: go[.]quali-bid[.]com (64.15.72[.]46)

MAIN DOMAIN: quali-bid[.]com (64.15.72[.]44)


QUICK PIVOT ON IP ADDR (64.15.72[.]44) USING P4SSIVET0T4L:


Pivoting on the IP Address reveals additional QUALIBID branded hosts as well as references to previously hosted 'meta[.]7search[.]com.qualibid[.]com'. We have now observed both 7search and Qualibid in multiple requests/sequences and are starting to make some connections/associations.




D. SUMMARY OF FINDINGS: Putting some of the pieces together

Now that we have completed our INFORMATION GATHERING phase we can focus on tying our connections together (if possible) and providing some context around our data and begin to tell a story and/or form new questions to be answered (and in the process create the Summary of Findings report and complete the investigation).

Let's recap...
1. Searching Google with the search terms "make money fast and easy(and 'Past 24 hours') we discover an anomalous URL associated with 'midalva[.]se', a seemingly harmless website (in this case, the owners of this site may have been hacked and are potentially the VICTIMS in this case). 
From their website (translated):
"We produce magazine Forest Technology and is responsible for advertising magazine Machine contractor. We can take on more sell orders as well as for the copy and journalist freelancing.

 two co-owners
Midälva Information has two shareholders: Ove Jansson, editor, journalist and copy and Tomas Nordmark, advertising sales and finance manager. Besides Thomas and Ove Christer Nilsson company employee. He works remotely with selling ads to the newspaper Forest Technology and newspaper machine contractor."

 Also, searching Google for the domain name (midalva[.]se) results in a warning to potential visitors of their website:

Notice the first result from Google has the warning "This site may be hacked" after the URL. Google lists them as a "Marketing consultant in Sundsvall, Sweden". If we take a look at Google Safe Browsing there is no indication there is a problem with this site. Hmmmmm.

https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=midalva.se

 NEXT STEPS:
Email or telephone the discovered contacts for 'midalva[.]se' to assist with remediation of staged fraudulent hosts (DOMAIN SHADOWING VICTIMS?).

----------

2. From 'midalva[.]se' we observe browsers redirected to 'krabns[.]com' (potential VICTIMS however more information is needed to verify) and then to 'xmlfeed[.]info'. Additional traffic directors/advertisers were observed including: quali-bid[.]commeta[.]7search[.]com & singlesmatch[.]xyz/clicktracker-qualibid[.]php.

NEXT STEPS:
Email or telephone the discovered contacts for 'krabns[.]com' to assist with remediation of staged fraudulent hosts (DOMAIN SHADOWING VICTIMS?).

More research needs to be done on Qualibid, XMLFeed, 7search & Singlesmatch (and possible Clicktracker connection).


----------

3. One of the LANDING PAGES observed was 'www[.]kimlostlovespells[.]com' which has known reputation issues (screenshot of RipoffReport entry below).

http://www.ripoffreport.com/reports/kimlostlovespellscom/-/kimlostlovespellscom-ali-khim-i-was-so-stupid-uganda-kampala-1364110



















"I was so stupid to send this guy 2000$ because he said I had some dangerous devils around me and needed to be dealt with. He is the worst person ever. Please don't ever trust this guy, he comes up with the most lame excuses to scare you. He asked me for extra 2200$ to send him cuz he needed to cleanse my money apparently and when I refused to send him that he said that he couldn't help me because apparently it's all my fault. I would never trust this guy. I am sharing This because I don't want anyone else to fall for this crap. Please stay away from this spell caster he is full of crap and bull s***."

Name: KHIM CASTER
Organization: KHIM SPELLS
Email: tmaniac68@gmail[.]com

Additional Name: Professor Ali Khim
WhatsApp/Phone: +256703106587

Could this "ACTOR" be associated with the AD NETWORKS or TRAFFIC DIRECTORS observed in our requests driving traffic to their domain for PSYCHIC SERVICE FRAUD (also...how can they not see this coming)?

NEXT STEPS:
Check for connection between domain owner and TRAFFIC DIRECTORS/AD NETWORKS observed.

----------

4. One of the LANDING PAGES observed was 'big-shot-seller[.]us which is associated with a known THREAT ACTOR (associated email address owns several domain which are currently blacklisted).

Name: Aniket Kumar
Organization: Microlive (additional ORG Names observed)
Email: kaniket239@gmail[.]com

Could this "ACTOR" be associated with the AD NETWORKS or TRAFFIC DIRECTORS observed in our requests driving traffic to their domain for the purpose of financial fraud & PHISHING SCAMS?

NEXT STEPS:
Check for connection between domain owner and TRAFFIC DIRECTORS/AD NETWORKS observed.


SUMMARY OF FINDINGS:

POSSIBLE DOMAIN SHADOWING DETECTED!
https://www.cursivesecurity.com/blog/2017/domain-shadowing/

"Domain shadowing is when a hacker gets access to your domain registration account, like at GoDaddy, and creates subdomains under your domain."

------------------
POSSIBLE THREATS (ACTOR/GROUP) DETECTED!

  • KHIM SPELLS | Professor Ali Khim | tmaniac68@gmail[.]com
  • Aniket Kumar | Microlive | kaniket239@gmail[.]com
  • SHADY AD NETWORKS / TRAFFIC DIRECTORS

------------------
BLACKLISTED DOMAINS DETECTED!

  Aniket Kumar (kaniket239@gmail[.]com) currently owns several domains themed around SCAREWARE, FAKE TECH SUPPORT, CARD & REWARD SCAMS that are BLACKLISTED (PHISHING & MORE)!

------------------
POSSIBLE PSYCHIC SERVICE FRAUD DETECTED!

KHIM SPELLS/Professor Ali Khim (tmaniac68@gmail[.]com) currently owns several domains themed around MAGIC, SPELLS, WITCHCRAFT AND MONEY. This person has known reputation issues around their domain and services (courtesy of the RipoffReport).

------------------
RECOMMENDATIONS:

  1. Add all associated domains to BLACKLISTS  and propagate to all Security Devices & Service Nodes network-wide.
  2. Secure all domain accounts, change passwords and implement 2FA (Two-Factor Authentication) to access ADMIN panels/consoles.
  3. Remove any unwanted subdomains/hosts from ZONE files and cached DNS services.
  4. Remove rogue/unwanted directories & HTML files from compromised web servers.
  5. Analyze web framework used for Traffic Distribution Systems.




Posted by at No comments:
Subscribe to: Posts (Atom)