Posted on Sunday, December 14th, 2008 | Bookmark on del.icio.us

Busy Little Phishing Botnet

by Jose Nazario

Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

  • dir10.cz
  • adobeflasplayer10.com
  • isapid.cz
  • es-pos1.es
  • es-pos0.es
  • frankiezfunz.com
  • sofia16-online18.com
  • es-pos3.es
  • idsrv1.es
  • serverdemobank.com
  • idsrv2.es
  • id-rt01.cz
  • aktien-news-online24.com
  • id-rt04.cz
  • flashplayercolonial.com
  • srv-3id.cz
  • clrtemp.cz
  • file033.cz
  • file11.cz
  • sofia16-online24.com
  • ref-id.es
  • idsrv4.es
  • player10update.com
  • bankamericademo.com
  • dir017.cz
  • idrtd.cz
  • 0177.es
  • id-ref.cz
  • serversupdates.com
  • srv-1id.cz
  • 72.in-addr.arpa
  • id0.cz
  • bmspeedlab.org
  • id-rt03.cz
  • democolonialbank.com
  • refid73.es
  • refid70.es
  • identify-3.cz
  • colonialshow.com
  • demobankofamerica.com
  • cs03.cz
  • isapi10.cz
  • es-pos2.es
  • id-ref.be
  • 0104.es
  • idsrv10.es
  • bumospo.com
  • hawaiiantel.net
  • isdir.cz
  • cs07.cz
  • cs01.cz
  • identify-4.cz
  • ptil.cz
  • sofia18-online.com
  • idsrv11.es
  • installadobeplayer.com
  • es-pos7.es
  • colonialdemo.com
  • bmspeedlab.com
  • id-rt02.cz
  • srv-4id.cz
  • fasttrk.cz
  • bumotor.org
  • srv-7id.cz
  • bumotor.net
  • identify-1.cz
  • bumospe.tk
  • onlineserverdownload.com
  • clasmatessup.com
  • everettzfunz.com
  • file17.cz
  • demoversions10.com
  • tempdir.cz
  • demoservers1.com

Unlike some other fast flux users, these guys seem to go to different gTLDs as needed:

  • 1 — be
  • 23 — com
  • 29 — cz
  • 15 — es
  • 2 — net
  • 2 — org
  • 1 — tk

The hosts have largely been the same over this time so you can track them using passive DNS to discover their new names. Almost all of these are detected using standard anti-phishing tools.

This entry was posted on Sunday, December 14th, 2008 at 12:30 pm and is filed under ATLAS, Botnets, Phishing, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses | Add your own



Comment Post by: asicard — December 17th, 2008 @ 3:27 pm EST  Reply

testing comment system :)

Comment Post by: Gandi Abuse Team — January 19th, 2009 @ 9:25 am EST  Reply

Sincerely,

Hello guys,

As a whitehat registrar, active in the fight against phishing and deviant internet practices, Gandi maintains a zero-tolerance policy regarding phishing.

For each fraudulent domain that was bought to our attention, we proceeded with an internal investigation of the claims of abuse and took action as required.

After the next nameserver reload (and propagation period) the phishing scams using the domain name in question was taken down.

Thank you for your help in reducing crime on the internet.

Sincerely,
Gandi.net Abuse Department

Leave a Comment