Triple Random Mongolian URLs hit Citi, eBay, Paypal
Sometimes its clear that a single criminal is targeting multiple brands. Such was the case this weekend when we began seeing strange domains using the country code ".MN", or Mongolia.
We had Citibank phishing URLs such as:
http://web-da-us.citibank.com.012bw9ijw1.007q70zhc10ebyg.mn/web-da-us/?921-706-844
http://web-da-us.citibank.com.0365kzi9lp5t.007jlwi19ag1k08.mn/web-da-us/?818-419-879
http://web-da-us.citibank.com.0vyto7exofadkjmxof69.00779rmcxejdeft.mn/web-da-us/?922-628-697
I'm calling them "Triple Random" because there is a random string in the HOST name, a random mess of charactgers which has been registered as the DOMAIN name, and then a random string of numbers at the end of the URL as well.
We had eBay phishing URLs such as:
http://signin.ebay.com.432xc3e10natg.nrwftgiitrs8.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.4duvw9mbo9m345engt.7vaaus6ghc24.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.7nb7z7fjzr3r7.rdggrpqw596k.mn/sc/saw-cgi/eBayISAPI.dll/
and we had Paypal phishing URLs such as:
http://www.paypal.com.934gmqpw7nefk4dnxn.cebacwpbhq52.mn/cmd-confirm/login.php?login&login_email=person@place.com&ref=
http://www.paypal.com.l29y0duqhoe.aiqfimauhxeb.mn/cmd-confirm/login.php?login&login_email=julie.butterworth@dwp.gsi.gov.uk&ref=
For this particular group, the Mongolian Country Code, .mn, was fairly interesting. We first reported the Citibank phish on December 8th. On December 9th, there was a brief bout of HSBC, with domains like this:
http://www.us.hsbc.com.8z9fnuor10wvcsosbv1u.001gobr2zu819.mn/_cqr/hsbc/index.php
The eBay phish did not start until December 12th, and it was not until the 14th that we had eBay, Citibank, and Paypal all being phished by new randomly created Mongolian domain names in the same day.
Interestingly, DomainTools gives an error when you try to look up ".mn" domains, and "DNS Stuff" says "Mongolia doesn't have a WHOIS Server" and refers you to NIC.mn.
The WHOIS data there is of course worthless thanks to Privacy Protect:
0054bhl2l2p1s.mn
Created On:14-Dec-2007 20:11:26 UTC
Expiration Date:14-Dec-2008 20:11:26 UTC
Sponsoring Registrar:Datacom Co., Ltd. (R121-LRCC)
Status:TRANSFER PROHIBITED
Registrant ID:FR-10eb2f691778a
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:All Postal Mails Rejected, visit Privacyprotect.org
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Email:contact@privacyprotect.org
Right this moment I've got a dozen live Citibank, sixteen live eBay, and two live Paypal phish.
Live Citibank
http://web-da-us.citibank.com.ob6hgju9c72p8va14.0054bhl2l2p1s.mn/web-da-us/?310-926-719
http://web-da-us.citibank.com.88kww8s0gwossk48k8s4.005cggerhzgtz.mn/web-da-us/?932-857-960
http://web-da-us.citibank.com.i4u4yga82864i.005eicwaaqqq2.mn/web-da-us/?870-855-857
http://web-da-us.citibank.com.50vqtk765gfq187.005hf08t6sh3z.mn/web-da-us/?223-204-149
http://web-da-us.citibank.com.575jh7tblj1zpr5z171.005l1af8sqegq.mn/web-da-us/?132-939-128
http://web-da-us.citibank.com.1pdldpd5x9p.005o0qyj49uj6.mn/web-da-us/?474-466-484
http://web-da-us.citibank.com.0z6xszulwnqtwfax4zu1.005q9h33vvi5s.mn/web-da-us/?419-334-599
http://web-da-us.citibank.com.99xll1ph1ltppxd1x9p.005qnlf7z0fq6.mn/web-da-us/?728-766-841
http://web-da-us.citibank.com.70dmz8lazgd6.005sgdguh9rsu.mn/web-da-us/?943-748-311
http://web-da-us.citibank.com.4usi4ecucekywi0i8.005ynyzme6vto.mn/web-da-us/?514-803-125
http://web-da-us.citibank.com.4fe1cb654f6hor61.0060a5n5z4y71.mn/web-da-us/?352-278-926
http://web-da-us.citibank.com.dh95xdx9t9t19p5x1d.0068nggsuy099.mn/web-da-us/?295-333-731
Live eBay
http://signin.ebay.com.47eh4zqp4jm10nqhkv6p.6jccavuz6azr.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.74pkappx1ccuml7d3.7vaaus6ghc24.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.egjzcabhdzho8.8727wmivhieb.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.6ayii6uauyqya6aiime.h47wdg86scvp.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.5p7w7uq2haehht105e.ik8aibg6en2y.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.4goilfpboysxqgw2gj.ispmvtvr4wfx.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.55sh1a1zv4h3mria0d8t.j4snfshsgqek.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.4q7rp6710j578o0b0ec.jm8uefv7r8ha.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.hcikdju9hg.kzvhhdd8na6k.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.4zllnb2t1pvevmtdm4.nrwftgiitrs8.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.885e0spixnkfwojuf.qzpauqxhxud5.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.de8n0odsyl.semr2m3rgxkw.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.e1szad0vi5w.svzw7zfndcmf.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.6bs2ocuad6vat.utdrwd2ytwyv.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.c1e01trti2ni6a.v6itp9k25ytn.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.5q6bz7ff12r8qhc.vfsfv99ci2rv.mn/sc/saw-cgi/eBayISAPI.dll/
http://signin.ebay.com.k09jao4wxozb.xveczrabnmvs.mn/sc/saw-cgi/eBayISAPI.dll/
Live Paypal
http://www.paypal.com.l29y0duqhoe.aiqfimauhxeb.mn/cmd-confirm/login.php?login&login_email=x@y.za&ref=
http://www.paypal.com.934gmqpw7nefk4dnxn.cebacwpbhq52.mn/cmd-confirm/login.php?login&login_email=a@b.com&ref=