Websense.com / Security Labs / Blogs / Phast Phlux Phishing

Blog

Phast Phlux Phishing

09.13.2007 - 2:34 PM
Some time back in April of this year, MySpace founder Tom made an announcement to fellow MySpacitizens that links to sites outside of MySpace on their profiles would appear on their profile in the format of http://msplinks.com/<insert random looking string>. This change was implemented to curb comment spam and phishing. Msplinks.com is basically a redirector, similar to a URL redirection service called TinyURL.

Sidenote: msplinks.com appears to be managed by the domain / brand management folks at Mark Monitor.
Sidenote2: Websense is working with News Corp on the issue to help mitigate the attacks.

Last week, our ThreatSeeker systems picked up an interesting trend of URLs developing. Here's a screenshot: 


 
These deceiving URLs that are NOT related to msplinks.com, but at a glance would appear so. Visiting these links would show us the typical MySpace phish page, complete with the obligatory "You Must Be Logged-In to do That!" wording in red to seal the the "deal" (the deal being you handing over your credentials to them, daylight-robbery style). 


 
An inspection of the source code shows that almost everything is identical to the real myspace.com page, with virtually all <a href> tags linking back to myspace.com -- except for the email and password form. When the form is submitted, the data is sent to a domain in China (more on this below). We also noticed a long cryptic value being passed back to the said domain in China, which might be a mechanism for the phishers to track the performance of their phishes (a.k.a poor man's web analytics for phishers). We detected hundreds of such URLs, and with that many phishes, the phishers would need a way to measure their return on each phish against the associated cost + risk. 


 
The .CN domain hosting this phish resolved to numerous IP addresses that were constantly changing, an indicator of a fast-flux service network (a good reference paper on FF (http://www.honeynet.org/papers/ff/fast-flux.html).


Although the domain was a Chinese .CN domain, the hosts themselves were located on what appears to be home cable connections of broadband users in the US, most likely the desktops of the casual web surfer at home that was infected and now an unwilling participant in this orchestrated phishing attack.

The attackers are not only using multiple A records for their name services (10 on average) but they have low TTL’s also.

;; ANSWER SECTION:
iremoved5x.cn.             180     IN      A       70.XXX.X21.173
iremoved5x.cn.             180     IN      A       71.XXX.X91.10
iremoved5x.cn.             180     IN      A       74.XXX.X65.45
iremoved5x.cn.             180     IN      A       68.XXX.X18.216
iremoved5x.cn.             180     IN      A       70.XXX.X0.173
iremoved5x.cn.             180     IN      A       69.XXX.X5.65
iremoved5x.cn.             180     IN      A       75.XXX.X20.172
iremoved5x.cn.             180     IN      A       70.XXX.X16.50
iremoved5x.cn.             180     IN      A       76.XXX.X13.214
iremoved5x.cn.             180     IN      A       98.XXX.X43.173

Websense Security customers are safe from connecting to these sites.

Security Researcher: Jay Liew

Bookmark This Post:

Post a Comment: