LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Low End Detectives: IP Address of Low End Talk Phishing Attacker Revealed In Just 5 Minutes!

Tags: , , , , Date/Time: April 15, 2022 @ 12:30 am, by Not_Oles

The Phishing Attack

On April 9, 2022, some not-so-nice ungentleman went phishing. As announced on Low End Talk, phishing emails were received by several Low End Talk members.

The phishing emails falsely stated that Low End Talk members needed to validate their account passwords. Then the emails asked Low End Talk members to enter their email addresses and Low End Talk passwords into a web form.

Presumably, anyone who followed these fake instructions handed his password over to the attackers. Low End Talk members may ask the Low End Talk Support Desk for a password reset.

Who was the Black Hat that did this? How much can we Low End Detectives find out about him in 5 minutes? Quite a bit!

The Title of the original LET thread announcing the phishing emails was ⚠️ Attention: Fake Emails from “LowEndTalk.cc” ⚠️

Just looking at the thread’s Title tells us that the phishing emails came from a domain named lowendtalk.cc. Let’s see how much we can find from that single piece of information.

The host Command

First, let’s use the host command from the Internet Systems Consortium. The host command will tell us the numerical IPv4 and IPv6 addresses associated with a hostname like lowendtalk.cc. The host command also will tell us the the numerical IP addresses of any email Message Transfer Agent (MTA) servers associated with the domain.

If you want to follow along and don’t have host and whois and dig installed on your Debian system, install with

# apt-get update && apt-get install dnsutils whois

Both host and dig are provided by dnsutils. whois is a separate package.

The results shown below were seen on April 9, 2022. Please note that your current results from running the commands in this article might be different.


bash:~$ host lowendtalk.cc
lowendtalk.cc has address 185.244.37.218
lowendtalk.cc mail is handled by 10 mail.lowendtalk.cc.
bash:~$

The above results tell us that, at the time it was checked on April 9, 2022, lowendtalk.cc had one IPv4 address, no IPv6 addresses, and one email MTA named mail.lowendtalk.cc.

The whois Command

Next, let’s use the whois command to learn about lowendtalk.cc’s IPv4 address:


bash:~$ whois 185.244.37.218
[ . . . ]
person: SpectraIP B.V.
[ . . . ]
address: NETHERLANDS
[ . . . ]
route: 185.244.37.0/24
[ . . . ]
origin: AS62068
[ . . . ]
bash:~$

whois gives us many lines of information from which five have been selected. These five lines tell us that the IP which was queried is part of a subnet assigned to SpectraIP B.V., in the Netherlands.

The SpectraIP subnet is Autonomous System Number (ASN) AS62068. We now know that when we visit lowendtalk.cc the server is within SpectralIP’s network.

The whois Command Again

Next, let’s use whois again to see what we can learn about the IP address being used by lowendtalk.cc’s email MTA.

bash:~$ whois 23.95.140.153
[ . . . ]
CIDR: 23.94.0.0/15
[ . . . ]
NetType: Direct Allocation
OriginAS: AS36352
Organization: ColoCrossing
[ . . . ]
NetType: Reassigned
OriginAS: AS36352
Customer: RackNerd LLC
[ . . . ]
bash:~$

The above results tell us that lowendtalk.cc’s email MTA server was using an IP address owned by ColoCrossing and reassigned to RackNerd.

The dig Command

Now let’s use dig to see the Sender Policy Framework (SPF) Record of the lowendtalk.cc domain.

bash:~$ dig lowendtalk.cc txt
[ . . . ]
;; ANSWER SECTION:
lowendtalk.cc. 1799 IN TXT "v=spf1 a mx include:relay.mailbaby.net ~all"
[ . . . ]

The SPF Record tells us that lowendtalk.cc possibly was trying to use Interserver’s mail.baby service to send lowendtalk.cc’s phishing emails.

Discussion

Based on the above information, it looks like the phishing emails originally might have been sent from a service hosted at Racknerd. The phishing emails possibly were sent via mail.baby. The phishing website might be hosted on a server within SpectraIP.

All of the above could be determined within 5 minutes based simply on the single piece of information — the hostname lowendtalk.cc — provided in the title of the LET announcement thread.

Presumably, RackNerd might have a record of the identity of the person using the service at the IP address from which the emails might have originated. Alternatively, because lowendtalk.cc’s website IP was within SpectraIP’s network, SpectraIP might have identity information for the attacker.

Additional information could be gained from examining the headers of the phishing emails. Certainly the Low End Talk team must have done that. However, Low End Detectives have not yet issued a summons for the original emails.

Low End Detectives also have not yet become aware of the IP address which was the target of the Confirm My Account button in the phishing email. It’s possible that this IP was the SpectraIP address shown above, but, without more, we can’t be sure.

Besides determining the identity of the attacker, major issues arising from the attack include stopping the flow of the phishing emails and mitigating unfortunate consequences from any passwords which might have been compromised. Additionally, steps might need to be taken to prevent further compromises resulting from phishing emails already delivered. Finally, the Low End Talk Team certainly will consider taking additional steps to prevent future attacks.

Best wishes to the Low End Talk team involved in resolving all this! Thank you for all the great work you did! Best wishes also to any Low End Talk members who received phishing emails.

That’s Sir Arthur Conan Doyle in the image up at the top of this article. If Sir Arthur were alive today, he probably would have his famous detective, Sherlock Holmes, tell us always to glance at the headers of emails asking for confidential information! And to keep our passwords secure!

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published.