Jump to content
Sign in to follow this  
bobbear

'Domainless' phishing scams

Recommended Posts

I've mentioned this before, but as I'm still bewildered, I'd appreciate a bit more input from someone with much more technical expertise than myself.

Over the last few months I've been getting a load of 'phishing' scams that I report through spamcop in the usual way - they just keep coming.

They all use a variation of this 'domainless' address:

http:// 210.182.104.70:680/rock/h/ ('Spaced' to make non-clickable, although I don't think there's any malicious hidden scri_pt there apart from it being a 'phishing' site & an odd page locking arrangement).

It's obviously hosted on a bora.net server (210.182.104.70), but my questions are these - is there a genuine registered domain involved here or can the 'site' rock/h/ just be any old name behind port 680? If it's not done through a registrar, how is this sort of arrangement set up??

If you drop back to the index page of http:// 210.182.104.70:680/rock/ then there is just a notice to say it is a placeholder for rock.net, but a whois search for rock.net seems to indicate that it might possibly be a genuine site belonging to digimedia, (Scott Day ring any bells??). Browsing to rock.net just redirects to yeah.com & your.com which may be honest or not. Anyone any ideas?

Share this post


Link to post
Share on other sites
http:// 210.182.104.70:680/rock/h/  ('Spaced' to make non-clickable, although I don't think there's any malicious hidden scri_pt there apart from it being a 'phishing' site & an odd page locking arrangement).

It's obviously hosted on a bora.net server (210.182.104.70), but my questions are these - is there a genuine registered domain involved here or can the 'site' rock/h/ just be any old name behind port 680? If it's not done through a registrar, how is this sort of arrangement set up??

38993[/snapback]

Domain names are a creation that allow poor humans to be able to remember how to find a web-site. Per your query stretch of including rock.net into the mix, you would type this into your browser address bar (assume that the default mode applies the http:// in front of it) .... The first thing that happens is that your browser tries to do a lookup to find out (in computer terms) just where on the Internet rock.net may be hiding. A DNS (Domain Name Sever) query is made on your own computer, if data isn't found there, your ISP is queried, if not there, then your ISP's upsgtream is queried .. this continues if need be all the way up to the dozen+ computers that do nothing but keep track of where 'everything' is .. eventually, your browser will get an answer back that rock.net exists at an IP address of 216.234.246.150 .. so your browser then sends an HTTP data request to that IP address (default is to Port 80)

In theory, there is a web-server running on the computer attached to the Internet with an IP address of 216.234.246.150 .. if so, then it would answer your computer's HTTP data request by sending out some code (usually HTML) that your browser would then collect, analyze, and translate into a web-page on your screen. You could hen Bookmark/remember rock.net for your next visit, rather than trying to remember 216.234.246.150:80 ...

The URL you are asking about sidesteps the Domain Name issue by offering up an IP address directly. Noting that you are posting from a DSL account, one would normally see your USP's Terms of Service usually including a "no servers allowed" clause for a 'home' account. Knowing that the default www server runs looking at Port 80, and figuring that your ISP wuld be scanning for those verbotten servers running on home user's systems, your sample URL chose to instead have that www server use Port 680 to handle HTTP traffic. By adding that :680 to the IP address, the DNS lookup phase is bypassed (as there is no Domain Name in use) and tells your browser to send its HTTP data request to Port 680 (instead ot the normal Poer 80) .... this way, the normal ISP scans would hit Port 80 and not see a www server ...

So short answer ... there is no Domain Name involved in the item you are asking about. There is no relationship between the /rock/ folder on that computer and rock.net. The use of Port 680 is a bit unusual, typical Proxy/alternative setting would be Port 8080, but that's just a grnerality.

The point is that when you are connected to the internet, your computer is also identified by an IP address. The only reason I don't "get an answer" from pointing my browser to your IP address is that you're not running a www server setup to respond to that query with some web-page code (assumptions made that you're a typical [just browsing] home user and your system isn't compromised <g>)

Share this post


Link to post
Share on other sites
So short answer ... there is no Domain Name involved in the item you are asking about. There is no relationship between the /rock/ folder on that computer and rock.net. The use of Port 680 is a bit unusual, typical Proxy/alternative setting would be Port 8080, but that's just a grnerality.
Thanks Wazoo - that's mainly the bit I wasn't sure of regarding the 'domain' in question - it didn't seem to relate to rock.net. So IIUYC it is just a folder accessed directly via port 680 on a user's ISP account at 210.182.104.70, (service provided by bora.net), running an Apache web server on that port & bypassing DNS by virtue of direct IP:port addressing and thus can be any folder/file name at all. Great, got that clear now - thanks.

Hmm - there's no reverse DNS set up for 210.182.104.70 so that's a blind alley - not surprising, though.

The only way to get such a site closed down then is to file an abuse report with the ISP in question, in this case bora.net. There's been plenty of them filed to date with no effect.....

Share this post


Link to post
Share on other sites
Thanks Wazoo - that's mainly the bit I wasn't sure of regarding the 'domain' in question - it didn't seem to relate to rock.net. So IIUYC it is just a folder accessed directly via port 680 on a user's ISP account at 210.182.104.70, (service provided by bora.net), running an Apache web server on that port & bypassing DNS by virtue of direct IP:port addressing and thus can be any folder/file name at all. Great, got that clear now - thanks.

Only one major correction there .. drop the word "Apache" .... there's no requirement that this product be the one in use. Microsoft offers up even the "Personal Web Server" in some OS packages, AnalogX offers up a "Simple Server" at http://www.analogx.com/contents/download/network.htm ... there are many more web servers out there, but noting that the Apache server is the most popular on the 'net' ....

Hmm - there's no reverse DNS set up for 210.182.104.70 so that's a blind alley - not surprising, though.

Typically, setting up rDNS would be 'normal' for a 'real' web-site .... This system might even be a hacked computer in some Internet Cafe ...???

The only way to get such a site closed down then is to file an abuse report with the ISP in question, in this case bora.net. There's been plenty of them filed to date with no effect.....

39010[/snapback]

Could be that they are working hard on it <g> ... that customer of a customer of a customer thing ...???

Share this post


Link to post
Share on other sites
Only one major correction there .. drop the word "Apache" .... there's no requirement that this product be the one in use.  Microsoft offers up even the "Personal Web Server" in some OS packages, AnalogX offers up a "Simple Server" at http://www.analogx.com/contents/download/network.htm ... there are many more web servers out there, but noting that the Apache server is the most popular on the 'net' ....
Thanks for all the info. on this setup Wazoo, it's got it clear in my mind now. The only reason I referred to Apache, by the way is just that it is a direct reference to the webserver that the scammer is actually using, (you can see it by dropping back from the destination folder).

Typically, setting up rDNS would be 'normal' for a 'real' web-site .... This system might even be a hacked computer in some Internet Cafe ...???
Given your inf., I think it's got to be a static IP on a single machine somewhere. It's possibly just a guy in a house in Pyong-Yang with a dsl account, or something similar, with bora.net pulling the fast one you describe to avoid detection by using a webserver on port 680 instead of the more usual 80 or 8080.

Could be that they are working hard on it <g> ... that customer of a customer of a customer thing ...???
I've received a couple more of these scams in my first batch of spam this morning. With the insight you've given me I shall draft a couple of manual reports to bora.net and see how I get on. This scammer has been running the same scam unhindered for a couple of months now.

Share this post


Link to post
Share on other sites
Given your inf., I think it's got to be a static IP on a single machine somewhere.  It's possibly just a guy in a house in Pyong-Yang with a dsl account, or something similar, with bora.net pulling the fast one you describe to avoid detection by using a webserver on port 680 instead of the more usual 80 or 8080.

39028[/snapback]

It actually works with dynamic IP's as well as non routeable (local network) IP's as long as you are a part of the local network. Of course, with dynamic IP's the link would fail as soon as the IP address was reassigned.

Share this post


Link to post
Share on other sites
I shall draft a couple of manual reports to bora.net and see how I get on.

39028[/snapback]

Please copy spamcop[at]kisa.or.kr and let us know how it goes. Thanks!

Share this post


Link to post
Share on other sites
Please copy spamcop[at]kisa.or.kr and let us know how it goes.  Thanks!

39045[/snapback]

Will copy as requested on the next ones I send, Jeff - I'd already sent a couple off to abuse[at]bora.net as follows before I saw your reply:

Hello,

Attached below is the full, unedited source code, (full headers and body - gif decoded), for an unsolicited 'phishing' type criminal fraud spam received by me today containing the following response website address, (see body of spam):

http:// 210.182.104.70:680/rock/h/ (Attention bora.net abuse team for IP 210.182.104.70)

If I am correct it is a user of yours on IP 210.182.104.70 who is using a webserver on port 680 to further his criminal activity.

Would the abuse team(s) please take the appropriate action urgently please in order to block any replies to the criminal.

Source network abuse reported via Spamcop.

Thank you for your help in fighting internet crime,

Kind Regards,

Bob ######

Source code follows:

I've also had a couple using the address http:// 200.60.139.134:680/rock/f/ which is a unired.net.pe IP - also abuse reported as above, but to unired.net.pe reporting addresses. of course.....

Looking at the format of the scams, I would not be 100% surprised if it is the same gang that are perpetrating the honda-handle/ecolife money laundering scams - there are similarities.

Share this post


Link to post
Share on other sites

It is also true that "fake" (non registered) domain names can be used on the internet as long as some method is also provided for resolving the names to usable IP addresses. Some people use this trick as an added security measure for web sites that have limited access. It even works better when the "fake" address is the same as a real address.

Share this post


Link to post
Share on other sites
It actually works with dynamic IP's as well as non routeable (local network) IP's as long as you are a part of the local network. Of course, with dynamic IP's the link would fail as soon as the IP address was reassigned.

39044[/snapback]

Yes - I think the Peruvian ones I am getting from unired.net.pe may be on dynamic address allocation, at least the offending IP has cycled from 200.60.139.134 to 200.60.139.131 this morning and 200.60.139.134 no longer has a webserver on port 680 so I guess it's been allocated to someone else....

The interesting thing is that the IP addresses I reported yesterday are no longer functioning as phishing sites, although I've had no feedback yet from bora.net or unired.net.pe...

Share this post


Link to post
Share on other sites
It is also true that "fake" (non registered) domain names can be used on the internet as long as some method is also provided for resolving the names to usable IP addresses.

39061[/snapback]

How does that work, exactly? Thanks!

Share this post


Link to post
Share on other sites
How does that work, exactly?  Thanks!

39088[/snapback]

It requires bypassing the standard internet DNS services and using local copies which could be a DNS server or a local host file. Once the address is resolved to an IP address the domain name is actually ignored until it reaches the identified IP address.

If the domain name being used is also a registered domain, then any user that does not have access to the special local DNS services will be routed to the registered domain address. Those that are using the special local DNS services will be routed to the unregistered domain.

This scheme only works if you require pre-authorization to access the web site and have some way of notifying users of the requirement.

Share this post


Link to post
Share on other sites
How does that work, exactly?  Thanks!

39088[/snapback]

http://www.cexx.org/newnet.htm

Explains one lowlife exploit example out there for this .. amazing that after all this time, I still find this damn thing installed on many a computer that makes its way here with all the typical complaints, slow, crashes, times out, etc.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×