The great Hotmail, AOL and Yahoo phishing scam.

For many, many months now – lots of people have had their Yahoo, AOL, Hotmail and other email accounts compromised.

Often the user changes their password and is then compromised only a matter of weeks later.

The first I know is when I get an email from one of my contacts containing a link and some text to try and get me to click on it. This part isn’t clever and is present in almost all email scams that don’t contain attachments.

phishingmailinbox

It now gets interesting. For many months I couldn’t work out why I was just being spammed with slimming web pages from these compromised accounts…

scampage

I finally submitted one of the e-mail urls to urlquery… It isn’t clear in the browser but the encoded url…

107.183.127.193/?honi=dipu&dojoboxadubu=base64fromaddress&id=base64toaddress&sefi=cmFkaW8=

…must contain a unique encoded url for the recipient. This address then, sometimes, forwards to something similar to…

107.183.127.193?to=recipient@domain.com&cty=Tk87PW9zcw==

… Some other versions of this scam do not and instead forward to yet more encrypted urls. Discovering the above URL was important, it allowed me to take screenshots of all the obvious versions of this scam.

Firstly if it doesn’t know your domain (which in my case it didn’t) you are just forwarded directly through to the slimming products spam page.

However… if it does know you email domain, for example Hotmail.com.. it taylors a phishing page before forwarding you on to the slimming spam page.
To make it more difficult to track down a unique url can only be used once, if the recipient tries to visit the phishing page again they are instantly redirected. If the visitor has two unique urls but has been phished previously a cookie prevents the visitor from being shown the phishing page a second time.

hotmailphishing aolphishing gmailphishing yahoophsihing skyphishing btphishing

As of 14th June the following IP addresses, networks and domains are part of the scam:

107.183.127.10
107.183.127.193
107.183.122.226

NetRange 107.183.0.0 – 107.183.255.255
CIDR 107.183.0.0/16
Name ENZUINC-US-BLK14
Handle NET-107-183-0-0-1
Parent NET107 (NET-107-0-0-0-0)
Net Type Direct Allocation
Origin AS AS18978
Organization Enzu Inc (ENZUI)
Registration Date 2014-02-18
Last Updated 2014-02-18
Comments ——————————–
Enzu Inc.
2360 Corporate Circle Suite 400
Henderson, NV 89074
https://www.enzu.com
——————————–

*.sslmailc.com
Domain Name: SSLMAILC.COM
Registry Domain ID: 1862699376_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2014-06-13 07:54:39Z
Creation Date: 2014-06-13 14:54:00Z
Registrar Registration Expiration Date: 2015-06-13 14:54:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 3AAAC17BE8C04F29AC210CAA6D78FEE7.PROTECT@WHOISGUARD.COM
Registry Admin ID:

ww51-health-news.bbc-newsnow.com
Domain Name: BBC-NEWSNOW.COM
Registry Domain ID: 1860111570_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2014-05-24 19:23:26Z
Creation Date: 2014-05-25 02:23:00Z
Registrar Registration Expiration Date: 2015-05-25 02:23:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 6583A60AA50F48DBBCD19C7D276AE393.PROTECT@WHOISGUARD.COM
Registry Admin ID:

ww39-health-news.ebbc-news.com
Domain Name: EBBC-NEWS.COM
Registry Domain ID: 1862489850_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2014-06-11 13:23:30Z
Creation Date: 2014-06-11 20:23:00Z
Registrar Registration Expiration Date: 2015-06-11 20:23:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 4EDA4832AB444C3C8AEDFB03734DB9FA.PROTECT@WHOISGUARD.COM
Registry Admin ID:

Both the above domains point to…
Related IP: 31.204.153.74
Related Hostname: hosted-by.shineservers.com

inetnum:         31.204.152.0 - 31.204.153.255
netname:         INTERACTIVE3D
remarks:         Retail
descr:           Interactive 3D B.V. IP space
country:         NL
admin-c:         ir809-RIPE
tech-c:          ir809-RIPE
status:          ASSIGNED PA
mnt-by:          MNT-i3D
source:          RIPE # Filtered

myoffers.co.uk also somehow seem to be related but probably innocent, traffic is being forwarded to them sometimes or if your cryptographic link is wrong.

Edit 25th June: Another round of these are happening. This time the following IP addresses and domains are associated:

107.183.127.111
107.183.127.66
107.183.122.90
107.183.122.234
The same Enzu netblock noted in the past scam.

Domain Name: YLSSL.COM
Registry Domain ID: 1864182559_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2014-06-24 19:28:57Z
Creation Date: 2014-06-25 02:28:00Z
Registrar Registration Expiration Date: 2015-06-25 02:28:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 36E833F22CCF425C92D33433E2F8F859.PROTECT@WHOISGUARD.COM
Registry Admin ID:

Domain Name: BBCTODAYNEWS.COM
Registry Domain ID: 1864183131_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2014-06-24 19:36:46Z
Creation Date: 2014-06-25 02:36:00Z
Registrar Registration Expiration Date: 2015-06-25 02:36:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 32FAB5046C2E426B9FA6270F66E84207.PROTECT@WHOISGUARD.COM
Registry Admin ID:

Edit 30th June – Another round:

107.183.122.139
Again the website seems to be down so I can’t check the associated domain names

Edit: 2nd November – Another round:

186.148.231.62

inetnum:     186.148.231/24
status:      reallocated
owner:       Igreja Universal do Pai Eterno da Graça XXXII
ownerid:     BR-IUPE-LACNIC
responsible: Breno Cunha Teles de Carvalho
address:     Rua Pamelo, 13, AP 37
address:     01310 - Sao Paulo - SP
country:     BR
phone:       +55 31 36370897 []
owner-c:     GUV11
tech-c:      GUV11
abuse-c:     GUV11
created:     20140924
changed:     20140924
inetnum-up:  186.148.224/21

sclsmail.com with related IP 186.148.231.12 (within the above subnet) hosts the phishing pages.
Also sends users, who have either a domain not in the phishing list or have already used the link to this domain:
ww74-health-news.bbctodaynews.net on IP 186.148.231.32, again within the above subnet.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s