Phishing – A Master Anglers Toolbox
We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label. The file itself is harmless, but it links to the USPS scam shown below in the screenshots.
Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The client offers VPS servers and is likely not aware this is taking place. We filed an abuse report and QuadraNet is now aware of the issue. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites. We’ve included numerous updates below as to the progress of the cleanup.
*** Update 9/17 – Activity continues and no response from ‘firstname.lastname@example.org’ or Quadranet. Reported this activity to the DOJ/FBI.
*** Update 8/21 – Quadranet has reportedly taken action against AlphaRacks by null-routing it’s IP again due to the abuse.
*** Update 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised or that the operator AlphaRacks is complicit in the activity. I found that the blocks used to be owned by Crissic Solutions (Skylar MacMinn, Germany) who both worked at Quadranet and occupied the same IP space. An unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.
*** Update 8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.
*** Update 7/23 – QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is Alpharacks Hosting and that up to 1,200 domains may be on this server.
VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 50 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.
Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, and many others all on a single IP. This is a master angler at work, folks!
Victims we’ve seen phishing attempts against the companies below. This is is not a confirmation that they were compromised only that they scanned a URL with an e-mail inside of it so we presume that the owner received it via inbound phishing e-mail. Keep in mind this list only represents a small portion of the recipients and just a couple of days worth of URLs being scanned on VirusTotal:
Australia and New Zealand Bank
Aditya Birla Group
QBE Insurance Group
State of Minnesota
The Linde Group
NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.
E-mail possibly associated with activity: email@example.com
Dozens of the sites have login pages for the Pony Botnet:
I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.