A sophisticated phishing operation

Remeber the Live Messenger installer trojan? Is gone. It doesn't change a bit my article but it's good news.
I'd like to add that I had no grudge with Microsoft, at least not only with them.
I mentioned in previous articles how the lack of attention of those in charge of networks and servers is helping criminals in their activities. So, the list of people I have a grudge with is really really huge.

Today I've received yet another eBay phishing message, this one in particular was the tip of a major phishing operation. I saw one like this before but a lot smaller.
The typical phishing page is set on a hacked server, there's no need to take full control of it, just access to create a directory and copy some files is more than enough. Lately I've seen a lot web server running on ADSL or cable networks, almost all of them Apache web servers. My guess is that more people are using Linux and are letting the web server running and serving the public interface. Maybe there's a reason to have the web server on, maybe they're using an administration tool that requires it like Webmin, maybe they're doing web page development. But they don't have to serve the public interface. And I can tell that most of the times the intention wasn't to serve the public interface, because if I go back to the root the Apache default page shows up, there's no page there for users outside.
The whole phishing job is to hack a server, set a page, send the messages and wait. The page may have a local data file to store the data collected; nothing fancy, just a text file; or sends the data by mail to a free account controlled by the phisher.
The messages are sent with the same techniques used by commercial spam. Which is good, because most spam filters are chatching them.
If you want to stop a phishing job, these are the points to attack:

* Block the messages, this part is being done already by spam filters. The problem is that they are a doing damage control, the messages were sent already, received and stored into the user's mailbox. And to make matter worse here are some reasons why spam filters are not enough:

- Not everyone has a spam filter
- Not all spam filter detect all the phishing messages
- Some let the message pass because the alleged sender is an authorized mail address for a Paypal user
- Some users pick up the message from the spam directory thinking that it was a filter error

* Block the access to the page. This is the most effective if done quick. Once the page is blocked or deleted, all the messages are useless. Moreover, the phisher will keep sending messages linked to that page for a while wasting his time. The problem here is the reaction time of the people in charge of servers and networks.

* Catch the phisher.

There's not much that can be done with the messages unless someone comes up with an effective way to eliminate spam (I know how, just ask me).
Going after the phisher is a very complex problem to solve. You can report the message and from it is easy to get the originating IP number. Hopefully, if it's being used legally by the phisher the ISP can identify him, I've seen many of them using a DSL services. But at this point they're only spammers, the ISP may slap his hand or terminate his account. My guess is that it has to be a repeating offender to get to that situation. Let's face the reality, the complainer is someone that could be somewhere on the other side of the planet, the perpetrator is a paying customer.
The servers that were hacked most likely are not being supervised properly, that's the reason why they're hacked on the first place. I don't think it will be easy to get an administrative log, when the phisher logs in to set up the page, or even an access log, when the phisher access the data file.
At this point, depending on the location of the server and the phisher, they may have a crime. But the owner of the server has not suffer any loss. Most likely, he's not using the web server at all and wasn't aware that it was running. He won't go through the hassle of filing a criminal case in court. He'll be happy to fix his problem and move on.
By the time the real crime is commited, with economic loss for the victim, a lot of small links have to be put together to go from the crime to the phisher. The victim has to be able to relate the loss of money from his account with the event of logging on a fake page, someone who wasn't able to tell the difference at that time. Then he has to be able to recover the original message and hope for it to have an IP number linking to the phisher or for the phishing page to be still active. And if the the page is intact, hope for a log showing the phisher activity in any way.
Let's say that all this things can be put together, it seems a pretty impressive amount of evidence to support a case. But so far is all bits and bytes, something that I can made up with Notepad on my PC. This is evidence that requires the analysis of experts to be used in court, people able to explain the meaning of it and to certify that it is the real thing.
But all this is after the crime has been commited, it does no good for the victims.
The most effective way to fight phishing is to attack the pages. They're less than the messages, once thousands of messages are sent they're out of control. There's no way to take action to all of them. The pages, on the other hand are static, they can't move, and they're limited in number.
It's all a matter of speed, they have to be eliminated fast to minimize the number of people login in. And if the page has a local data file, it has to be eliminated before the phisher can access it.
The first thing is to be aware that the page exists. It seems easy because I've reported so many, but I know about all those that are linked to messages I've received. I've exposed my mail address on purpose to get them and, even so, I'm sure I don't get all of them. The method is pretty good, to be used effectively it would take more than my one man army. Not much more, a small group of people working in shifts to cover a 24 hours per day operation.
The other way to get the warning is on the hands of the original sites. I think I said that before but is worth repeating it. The phishing pages are using the images and other elements from the original sites. Every time someone opens the phishing page, is sending requests to the original site for the logos, styles, etc. Every request bears an HTTP-REFERRER tag clearly showing that is not coming from the original site or other site authorized to request that object. So, the first warning, the one that activates every time a victim falls, is being sent to the original sites. This is topic for another long article.
Once the page is detected, the real work begins. The page has to be closed, deleted, blocked. The problem here is that the owner of the server itself can't be contacted most of the time. Sometimes, the site hacked is a public web server, one that's serving a public IP interface with a purpose. If you get to the home page, chances are you'll find a contact, email address or phone number. Even if you don't, you can check the contacts for the domain name registration. But this cases are not the most common. Public web servers are, in most cases, under control. The people running them is aware of the dangers of a public interface and have interest in the smooth operation of the servers. So they're either well protected or will answer quick to a report of hacking. There's still a number of servers handled by clueless people that will be hacked for sure and that won't act quick or won't act at all.
And they should be added to the most difficult group, those servers that nobody knows that are serving a public interface. Those are the real problem, they're over 90 per cent of the total, there's no way to contact the owner directly and, most likely, the owner doesn't know how to fix it.
Here's where the only resource is to contact the ISP in charge of the IP address and hope for the best.
The ISP is not going to block the IP completely, and I think they have good reasons for it. Besides the economic balance, unknown complainer against paying customer, the customer is also a victim. His server has been hacked , he's not getting benefits from the phishing.
All the ISP can do is contact the customer and tell him what the problem is. Then, it's up to the customer to put a remedy to the situation. And, most likely, he won't be able to fix it immediatly.
ISPs don't have firewalls to filter traffic in blocks of public addresses dedicated to customers, it doesn't make sense when the responsibility of the equipment connected to that public address belongs to someone else. With a firewall they'd be able to block the service port for that particular IP address and deal with the problem with time. But it would require high bandwidth equipment with the minimum latency time to filter less than 1 packet in one million.
Another alternative would be to force an IP change of the offending connection, if the assignment is dynamic. The ISP has to identify the customer, so he can be notified to fix the problem, force the expiration of the IP lease and reset the connection, forcing the system to request a new IP number. It would be a minor annoyance for the customer but it's a quick solution that could save many from falling into the trap.
In systems where the IP number assignment is static, the numbers are fixed for each connection, the solutions for the ISP are more complicated and sometimes there's no other solution than requesting the owner of the server to fix it.

And this is basically the way a typical phishing operation works. As you can see, it can be run with almost no resources, besides knowledge and skills, is really hard to fight against it and the chances of being caught are very small. Is the kind of operation that's profitable no matter how poor the results are.

Now, the more complex phishing operation. In this one, the phisher obtained two domain names. I don't know if he bought them, maybe paying with an account hacked on a previous operation, or took control of them by other means. One domain name was used for the phishing server and the other for a domain name server. Then he hacked two servers but not to install a phishing page, instead he installed the domain name servers (primary and secondary) and declared it as the start of authority for the other name. The name of the phishing server was amn27d.info and the name of the DNS server was COMNET-US.COM. Here's the trick, the names we use for domains mean nothing to a network, they have to be resolved somehow to an IP number. The domain name servers do that. There isn't a huge database with names and number correspondences, in fact it's a distributed database system. Each name belongs to an authoritative nameserver space depending on its extension (.com, .org, etc). These nameservers have their lists of domain names, but the records don't have the IP numbers for those domains. Each record has a pointer to the domain name server that has authority over that domain. This allows the owner of the domains to have more flexibility in the way they handle their networks. Let's say that you want to change your web server to a new computer, you don't have to ask someone else to change the IP assignment, you change your DNS record. Or if you want to have more than one server, you can tell your DNS to point your domain name to different IP numbers. This may work as a backup system, if A fails point to B, or as a load balance control, point alternative to A and B.
Having control of the DNS and the name of the phishing server, the hacker started planting phishing pages in as many servers as he could hack. I counted over 40 of them. As the server were set, they were also assigned to the domain name amn27d.info on both domain name servers. So, now, every time a request was made to amn27d.info the DNS server was able to point to anyone of the over 40 active phishing servers.
I said before that the phishing server was a weak point because is at a fixed location and, once detected, it can be shut down rendering all the messages pointing to it completely useless. Well, not anymore. Now all the messages points to amn27d.info and, if one of the servers is down, the DNS will point to any other. In fact, the DNS has no idea if the page is running or not. It reports to the client asking for that name, you or anyone asking for that page, as many IP numbers as it's configured to report. In this case it was configured to give 5 IP numbers picked up randomly from the whole lot. It's up to the client application, your browser, to check if the server is responding and, if not, move to the next IP number.
It's a very complex setup, for a phishing operation, but it's totally normal. Many Internet servers are using this kind of setup to improve its performance and uptime ratio.
To make matter worse, the hacker set the web servers to respond by domain name and not IP number. This means that if you use http://amn27d.info the server responds, but if you use the IP number, the server doesn't respond or gives you another page. In this case it was a blank page. The reason for that is it makes almost impossible to report the phishing servers. If the ISP checks by name, most likely the IP reported by the DNS server will be different than the one saw previously. The ISP would ignore the complaint because it doesn't belong to his network. If he checks by IP number, there's a blank page, no reason to take any action.
I found it by name, I took the name from the phishing message, went to that link and saw the page. Because it was using a name and not an IP number, I assumed that there was a home page with some content. It wasn't, so no contacts there. I checked the name record and started gathering contacts to report to. The name record has info of the owner and also the domain name server that's the start of authority over that name and, making the query, the IP number or numbers.
The first funny thing I saw was that the domain name servers of comnet-us.com were in DSL IP numbers and in different networks. It's normal to have DNS servers separated for safety, the IPs on different networks is not so common. But DNS servers on DSL IPs is weird. There's no difference from a network point of view between one IP or another, in fact if you're looking at the IP number only there's no way to know if it has been assigned to a web server or a DSL customer. The network administrators name their IP numbers, all of them whether they're serving to the public or not, for maintenance purposes. So, if you find an IP number with a name like ltown1-1-74.adsl.trix.net, you can tell it was assigned to a DSL customer.
Then, I saw that the DNS query for amn27d.info returned a different set of 5 IP numbers every time I requested. I tried and tried and finally compiled a list of more than 40 different IP numbers for that domain. I reported them to all of the ISPs, almost all were DSL connections, but it was useless. Not only I had to explain to them how to verify the phishing page resolving the name by themselves, even if half of the pages were taken down the messages would keep linking to the others without a problem.
I tried to focus on the DNS servers but it turned out to be really difficult. One of them was down before I reported it or immediatly after, but with the other still serving it didn't do much difference. And the other kept working for a long time. And the problem was basically that there's nothing wrong with having a DNS server running on your machine with a DSL connection. It's weird, it's a no sense for most applications, but it's not a crime and most likely not a violation of any service contract.
I reported it with all the details, the ISP asked for more information and I gave it to them, but I can understand their position. If they focus on their bailiwick, there's no problem. They have to look at the big picture to see the problem and, even if they do, it's not easy to explain how their network is involved on an illegal operation.
It's gone now. I don't know what happened (nobody tells me anything) but I guess that the customer was contacted and he fixed it.
The moral of the story is that this kind of sophisticated setup is possible, is cheap, is safe, and that we, the Internet community, are not prepared to deal with it. If I've found one, a lot more should be running somewhere even more complex, sophisticated and bigger.

I said it before and I'll say it again, I don't want a police control of the Internet, I think it's fine the way it is. But it need more responsibility from the users and I mean all of us. We all take some from it, we should give some too. The merchants have to take care of the marketplace, it's the only reason why they're there. And they have to take care of all the marketplace, right now they are willing to sacrifice a small percentage because they think that percentage is worth less than the cost of taking a little more responsibility. And I'm not saying that they have to save all, I don't think it can be done. But at least they have to try and it's not really expensive. If I can take down one operation like this over my lunch hour, imagine how much they can do with a small team working full time.

No comments: