Return-path: <msu@mus.edu>Seems legit that the MSU helpdesk staff would send an email from "mus.edu" asking everyone to log into cks-online.com.
Envelope-to: XXXXXXXX@msu.edu
Delivery-date: Tue, 12 Feb 2013 10:33:42 -0500
Received: from [202.123.76.219] (helo=bsdmail2.tgtnet.com)
by ZZZZ.ZZZZ.msu.edu with esmtp (Exim 4.75 #3)
id 1U5HrM-0006V8-HV; Tue, 12 Feb 2013 10:33:30 -0500
Received: from tgtnet.com (localhost.localdomain [127.0.0.1])
by bsdmail2.tgtnet.com (8.14.2/8.14.2) with ESMTP id r1CF4Xrm096120;
Tue, 12 Feb 2013 23:04:33 +0800 (HKT)
(envelope-from msu@mus.edu)
From: "Michigan State University" <msu@mus.edu>
Subject: Warning!!!
Date: Tue, 12 Feb 2013 23:04:32 +0800
Message-Id: <20130212145850.M25036@mus.edu>
X-Mailer: OpenWebMail 2.52 20060502
X-OriginatingIP: 180.74.192.93 (terry.yue)
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
To: undisclosed-recipients:;
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by bsdmail2.tgtnet.com id r1CF4Xrm096120
[Snip]
Subject: *****SPAM***** Warning!!!
Body:
Dear Subscriber's,
We have detected some unusual message from your account,to avoid you loosing
your account or suspension,you will have to re-confirm your account for us to
know that you are the right full owner of this email account.
You are therefore required to click or copy the link
http://cks-online.com/wp-mail.htm
to enable us verify and perform maintenance in your email account with our
new system upgrading software.Failure to provide your valid information, your
account will be suspended temporarily from our services.
We sincerely apologize for the inconvenience this might have caused you.
Helpdesk Team,
© 2013 Michigan State University
All rights reserved.
Michigan State University. Est. 1855. East Lansing, Michigan USA.
Let's dig into some of the IPs from the headers. All of this information is freely available through domain and network registrations.
202.123.76.219Huh. Mr. Seng Hoon Lee is gettin' busy. So, how about the phishing site, cks-online.com?
inetnum: 202.123.64.0 - 202.123.95.255
netname: HENDERSON
descr: Henderson Data Centre Limited
descr: 6/F, World-Wide House,Central
country: HK
person: Tech Admin
address: Henderson Data Centre Limited
address: 17/F WELL TECH CENTRE
address: 9 Pat Tat Street
address: San Po Kong
address: Kowloon
address: Hong Kong
country: HK
phone: +852-2908-6900
fax-no: +852-2908-6966
e-mail: tech.admin@ihenderson.com
180.74.192.93
inetnum: 180.72.0.0 - 180.75.255.255
netname: P1NETWORKS-MY
descr: Packet One Networks (M) S
dn
descr: Internet Service Provider
descr: Kuala Lumpur, Malaysia
country: MY
person: Seng Hoon Lee
nic-hdl: SL2018-AP
e-mail: senghoon.lee@packet-1.com
address: Level 4, PacketHub,
address: 59 Jalan Templer,
address: 46050 Petaling Jaya, Selangor,
address: Malaysia.
phone: +603-74508888
fax-no: +603-74508891
Queried whois.godaddy.com with "cks-online.com"...Oh Stanley Ling, you card! You can see the ~136 other phishing and SEO sites hosted on the same IP here.
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: CKS-ONLINE.COM
Created on: 28-Feb-09
Expires on: 28-Feb-13
Last Updated on: 25-Feb-12
Registrant:
Stanley Ling
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
Administrative Contact:
Ling, Stanley stanley.ling@gmail.com
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
+60.60126480288
Queried whois.arin.net with "n 97.79.238.221"...
NetRange: 97.76.0.0 - 97.79.255.255
CIDR: 97.76.0.0/14
OriginAS:
NetName: RCSW
NetHandle: NET-97-76-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-09-11
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-97-76-0-0-1
OrgName: Road Runner HoldCo LLC
OrgId: RCSW
Address: 13820 Sunrise Valley Drive
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
RegDate: 2001-09-07
Updated: 2011-07-06
Next lets wget the contents of the page and see what was shakin' over there.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"Lame. Boxhost.me is a free web hosting service, and now we have a username: sycure. A search for it brings up an infosec blog: sycure.wordpress.com. In the interests of science, I used wget to mirror everything on sycure.boxhost.me, which you can download here. Stan made 3-4 versions of the same phishing site, apparently. There's not much worthwhile here, just shitty code. The robots.txt implies a wordpress install, but I didn't see one:
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>
Account Verification Page
</title></head>
<frameset rows="100%">
<frame src="http://sycure.boxhost.me/efe/Login.htm" />
<noframes>
<body>Please follow the <a href="http://sycure.boxhost.me/efe/Login.htm">link</a>.</body>
</noframes>
</frameset>
</html>
User-agent: *The phishing page forwards your credentials to a php script, presumably to send them off, and then bounces you to a thankyou.html page. The interesting part here was the analytics code at the bottom of the Thank You page:
Disallow: /wp-admin/
Disallow: /wp-includes/
<script type="text/javascript">Their analytics tracking number is listed near the end: UA-491816-39. Googling it brings us scrapes of a bunch of pages, the topmost of which is Formmailhosting.com, Youtubedriver.com, and Ricksgamblingguide.com. Formmailhosting is an affiliate marketing program (shocking), with a youtube page about affiliate marketing (also shocking).
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-491816-39");
pageTracker._trackPageview();
} catch(err) {}</script>
Let's checkout formmailhosting.com:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)Sherry's email seems a little odd: bfleming. A search for "sherry fleming michigan" brings us to the flash site of a web designer who apparently has worked on a Poker site. The address listed on the page is the same as the domain listed above.
Domain Name: FORMMAILHOSTING.COM
Created on: 17-Dec-08
Expires on: 17-Dec-13
Last Updated on: 18-Dec-12
Registrant:
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
Administrative Contact:
Fleming, Sherry bfleming98@gmail.com
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
(248) 974-6876
The address seems to jive with the registration information, but who's email was that? A quick google of "bfleming98@gmail.com" shows Bryan C. Fleming, owner of a slew of domain names. Fair enough.
But what about our mysterious Stanley Ling? Stan registered his domain to stanley.ling@gmail.com, located at 29 Jalan 18/26, Taman Sri Rampai, Setapak in Kuala Lumpur, Malaysia. Here's a map.
Searching the registration email that was used, "stanley.ling@gmail.com," gives us his profile at a marketing website, where he confirms the email address and uses the username "syling."
It's worth noting that periods are ommitable in gmail addresses, so we can also search for stanleyling@gmail.com. This gives us multiple SEO marketing sites. His cks-online.com domain now bounces to a suspended page for an affiliate marketing program.
A search for "stanley ling malaysia" brings us multiple hits for an actual Stanley Ling living in Setapak and using the name syling. He has multiple profiles confirming his address and interests in online marketing.
So, there you have it. Was Stan owned by a fellow affiliate marketer or was he the originator? Who knows, but I had fun anyway.
