The Phishing Attack
On April 9, 2022, some not-so-nice ungentleman went phishing. As announced on Low End Talk, phishing emails were received by several Low End Talk members.
The phishing emails falsely stated that Low End Talk members needed to validate their account passwords. Then the emails asked Low End Talk members to enter their email addresses and Low End Talk passwords into a web form.
Presumably, anyone who followed these fake instructions handed his password over to the attackers. Low End Talk members may ask the Low End Talk Support Desk for a password reset.
Who was the Black Hat that did this? How much can we Low End Detectives find out about him in 5 minutes? Quite a bit!
The Title of the original LET thread announcing the phishing emails was ⚠️ Attention: Fake Emails from “LowEndTalk.cc” ⚠️
Just looking at the thread’s Title tells us that the phishing emails came from a domain named lowendtalk.cc. Let’s see how much we can find from that single piece of information.
The host
Command
First, let’s use the host
command from the Internet Systems Consortium. The host
command will tell us the numerical IPv4 and IPv6 addresses associated with a hostname like lowendtalk.cc. The host
command also will tell us the the numerical IP addresses of any email Message Transfer Agent (MTA) servers associated with the domain.
If you want to follow along and don’t have
host
andwhois
anddig
installed on your Debian system, install with
# apt-get update && apt-get install dnsutils whois
Both
host
anddig
are provided bydnsutils
.whois
is a separate package.
The results shown below were seen on April 9, 2022. Please note that your current results from running the commands in this article might be different.
bash:~$ host lowendtalk.cc
lowendtalk.cc has address 185.244.37.218
lowendtalk.cc mail is handled by 10 mail.lowendtalk.cc.
bash:~$
The above results tell us that, at the time it was checked on April 9, 2022, lowendtalk.cc had one IPv4 address, no IPv6 addresses, and one email MTA named mail.lowendtalk.cc.
The whois
Command
Next, let’s use the whois
command to learn about lowendtalk.cc’s IPv4 address:
bash:~$ whois 185.244.37.218
[ . . . ]
person: SpectraIP B.V.
[ . . . ]
address: NETHERLANDS
[ . . . ]
route: 185.244.37.0/24
[ . . . ]
origin: AS62068
[ . . . ]
bash:~$
whois
gives us many lines of information from which five have been selected. These five lines tell us that the IP which was queried is part of a subnet assigned to SpectraIP B.V., in the Netherlands.
The SpectraIP subnet is Autonomous System Number (ASN) AS62068. We now know that when we visit lowendtalk.cc the server is within SpectralIP’s network.
The whois
Command Again
Next, let’s use whois
again to see what we can learn about the IP address being used by lowendtalk.cc’s email MTA.
bash:~$ whois 23.95.140.153
[ . . . ]
CIDR: 23.94.0.0/15
[ . . . ]
NetType: Direct Allocation
OriginAS: AS36352
Organization: ColoCrossing
[ . . . ]
NetType: Reassigned
OriginAS: AS36352
Customer: RackNerd LLC
[ . . . ]
bash:~$
The above results tell us that lowendtalk.cc’s email MTA server was using an IP address owned by ColoCrossing and reassigned to RackNerd.
The dig
Command
Now let’s use dig
to see the Sender Policy Framework (SPF) Record of the lowendtalk.cc domain.
bash:~$ dig lowendtalk.cc txt
[ . . . ]
;; ANSWER SECTION:
lowendtalk.cc. 1799 IN TXT "v=spf1 a mx include:relay.mailbaby.net ~all"
[ . . . ]
The SPF Record tells us that lowendtalk.cc possibly was trying to use Interserver’s mail.baby service to send lowendtalk.cc’s phishing emails.
Discussion
Based on the above information, it looks like the phishing emails originally might have been sent from a service hosted at Racknerd. The phishing emails possibly were sent via mail.baby. The phishing website might be hosted on a server within SpectraIP.
All of the above could be determined within 5 minutes based simply on the single piece of information — the hostname lowendtalk.cc — provided in the title of the LET announcement thread.
Presumably, RackNerd might have a record of the identity of the person using the service at the IP address from which the emails might have originated. Alternatively, because lowendtalk.cc’s website IP was within SpectraIP’s network, SpectraIP might have identity information for the attacker.
Additional information could be gained from examining the headers of the phishing emails. Certainly the Low End Talk team must have done that. However, Low End Detectives have not yet issued a summons for the original emails.
Low End Detectives also have not yet become aware of the IP address which was the target of the Confirm My Account button in the phishing email. It’s possible that this IP was the SpectraIP address shown above, but, without more, we can’t be sure.
Besides determining the identity of the attacker, major issues arising from the attack include stopping the flow of the phishing emails and mitigating unfortunate consequences from any passwords which might have been compromised. Additionally, steps might need to be taken to prevent further compromises resulting from phishing emails already delivered. Finally, the Low End Talk Team certainly will consider taking additional steps to prevent future attacks.
Best wishes to the Low End Talk team involved in resolving all this! Thank you for all the great work you did! Best wishes also to any Low End Talk members who received phishing emails.
That’s Sir Arthur Conan Doyle in the image up at the top of this article. If Sir Arthur were alive today, he probably would have his famous detective, Sherlock Holmes, tell us always to glance at the headers of emails asking for confidential information! And to keep our passwords secure!
Related Posts:
- What is “aria-label”? And why you need to use it. - August 12, 2024
- HostSailor Greenhouse (NL) Fujitsu Primergy Dedicated Server Review - October 23, 2022
- How Much Faster Is Making A Tar Archive Without Gzip? - October 7, 2022
Leave a Reply