The Phishing Attack
On April 9, 2022, some not-so-nice ungentleman went phishing. As announced on Low End Talk, phishing emails were received by several Low End Talk members.
The phishing emails falsely stated that Low End Talk members needed to validate their account passwords. Then the emails asked Low End Talk members to enter their email addresses and Low End Talk passwords into a web form.
Presumably, anyone who followed these fake instructions handed his password over to the attackers. Low End Talk members may ask the Low End Talk Support Desk for a password reset.
Who was the Black Hat that did this? How much can we Low End Detectives find out about him in 5 minutes? Quite a bit!
The Title of the original LET thread announcing the phishing emails was ⚠️ Attention: Fake Emails from “LowEndTalk.cc” ⚠️
Just looking at the thread’s Title tells us that the phishing emails came from a domain named lowendtalk.cc. Let’s see how much we can find from that single piece of information.
The host Command
First, let’s use the host command from the Internet Systems Consortium. The host command will tell us the numerical IPv4 and IPv6 addresses associated with a hostname like lowendtalk.cc. The host command also will tell us the the numerical IP addresses of any email Message Transfer Agent (MTA) servers associated with the domain.
If you want to follow along and don’t have
hostandwhoisanddiginstalled on your Debian system, install with
# apt-get update && apt-get install dnsutils whois
Both
hostanddigare provided bydnsutils.whoisis a separate package.
The results shown below were seen on April 9, 2022. Please note that your current results from running the commands in this article might be different.
bash:~$ host lowendtalk.cc
lowendtalk.cc has address 185.244.37.218
lowendtalk.cc mail is handled by 10 mail.lowendtalk.cc.
bash:~$
The above results tell us that, at the time it was checked on April 9, 2022, lowendtalk.cc had one IPv4 address, no IPv6 addresses, and one email MTA named mail.lowendtalk.cc.
The whois Command
Next, let’s use the whois command to learn about lowendtalk.cc’s IPv4 address:
bash:~$ whois 185.244.37.218
[ . . . ]
person: SpectraIP B.V.
[ . . . ]
address: NETHERLANDS
[ . . . ]
route: 185.244.37.0/24
[ . . . ]
origin: AS62068
[ . . . ]
bash:~$
whois gives us many lines of information from which five have been selected. These five lines tell us that the IP which was queried is part of a subnet assigned to SpectraIP B.V., in the Netherlands.
The SpectraIP subnet is Autonomous System Number (ASN) AS62068. We now know that when we visit lowendtalk.cc the server is within SpectralIP’s network.
The whois Command Again
Next, let’s use whois again to see what we can learn about the IP address being used by lowendtalk.cc’s email MTA.
bash:~$ whois 23.95.140.153
[ . . . ]
CIDR: 23.94.0.0/15
[ . . . ]
NetType: Direct Allocation
OriginAS: AS36352
Organization: ColoCrossing
[ . . . ]
NetType: Reassigned
OriginAS: AS36352
Customer: RackNerd LLC
[ . . . ]
bash:~$
The above results tell us that lowendtalk.cc’s email MTA server was using an IP address owned by ColoCrossing and reassigned to RackNerd.
The dig Command
Now let’s use dig to see the Sender Policy Framework (SPF) Record of the lowendtalk.cc domain.
bash:~$ dig lowendtalk.cc txt
[ . . . ]
;; ANSWER SECTION:
lowendtalk.cc. 1799 IN TXT "v=spf1 a mx include:relay.mailbaby.net ~all"
[ . . . ]
The SPF Record tells us that lowendtalk.cc possibly was trying to use Interserver’s mail.baby service to send lowendtalk.cc’s phishing emails.
Discussion
Based on the above information, it looks like the phishing emails originally might have been sent from a service hosted at Racknerd. The phishing emails possibly were sent via mail.baby. The phishing website might be hosted on a server within SpectraIP.
All of the above could be determined within 5 minutes based simply on the single piece of information — the hostname lowendtalk.cc — provided in the title of the LET announcement thread.
Presumably, RackNerd might have a record of the identity of the person using the service at the IP address from which the emails might have originated. Alternatively, because lowendtalk.cc’s website IP was within SpectraIP’s network, SpectraIP might have identity information for the attacker.
Additional information could be gained from examining the headers of the phishing emails. Certainly the Low End Talk team must have done that. However, Low End Detectives have not yet issued a summons for the original emails.
Low End Detectives also have not yet become aware of the IP address which was the target of the Confirm My Account button in the phishing email. It’s possible that this IP was the SpectraIP address shown above, but, without more, we can’t be sure.
Besides determining the identity of the attacker, major issues arising from the attack include stopping the flow of the phishing emails and mitigating unfortunate consequences from any passwords which might have been compromised. Additionally, steps might need to be taken to prevent further compromises resulting from phishing emails already delivered. Finally, the Low End Talk Team certainly will consider taking additional steps to prevent future attacks.
Best wishes to the Low End Talk team involved in resolving all this! Thank you for all the great work you did! Best wishes also to any Low End Talk members who received phishing emails.
That’s Sir Arthur Conan Doyle in the image up at the top of this article. If Sir Arthur were alive today, he probably would have his famous detective, Sherlock Holmes, tell us always to glance at the headers of emails asking for confidential information! And to keep our passwords secure!
Related Posts:
My Low End Adventures started here at LowEndBox, when just a few years back, I found the perfect deal on a dedicated server from OVH!
These days I own my own gorgeous antique server named Darkstar. She is colocated in Dallas, Texas USA at LevelOneServers.com.
Besides writing for LowEndBox, helping as a moderator at LowEndTalk and running Darkstar, I'm trying to learn a little about programming and networking.
All these years, and, still, so much more to learn! So many people here who can teach me!
It's very, very fun here on the Low End, isn't it? :)
- HostSailor Greenhouse (NL) Fujitsu Primergy Dedicated Server Review - October 23, 2022
- How Much Faster Is Making A Tar Archive Without Gzip? - October 7, 2022
- How To Move Your Site To Oracle Cloud Free Tier With scp(1) - September 29, 2022
Leave a Reply