My email “phishing hole” received what looked like a bog-standard phishing email. Nominally from Chase bank, requesting that I update my information. Nothing particularly interesting – standard tricks like using a font with the background color to hide a bunch of random tripe so that Bayesian filters won’t flag them – and the usual redirect at an <a href=”someip”> Chase Online Form </a> where someip is chosen to look realistic. In this case it was “chaseonline.chase.com.modeisp.me.uk”
As usual, I collected information about the site to use as an example for my class, and then things got more interesting. The end of the web call went “OnlineForm.aspx?chase_id=89″, and I attempted to get the file OnlineForm.aspx. No luck, just a 404 file not found. It turns out that OnlineForm.aspx is the directory where the files are stored and the ?chase_id= term just kicks the web browser into that directory where it returns index.html. This is a cool trick to make automated website slurping fail, and perhaps preserve the lifetime of the site.
These people seem to know a thing or two, albeit the html and php on the site is not exactly high quality. In fact I’ve seen it before.
None the less I then went to see who the modeisp.me.uk abuse line is because I don’t like ISP’s that register obvious scam addresses and I suspect that the UK’s serious fraud units don’t either (the FBI certainly doesn’t). So a quick pass by whois was in order.
Whois proceeded to tell me that this domain cannot be a registered uk domain because “the domain name contains too many parts”. So how was an IP address associated with an invalid domain name?
Obviously the DNS cache was poisoned. This is neat – not only does the cache actually have a corrupted address resolution, but because the name is illegal it cannot be resolved by a call to normal nameservers. It will reside until there is a timeout or total flush of the DNS cache.
Digging further with dig, I find a list of five answers (I didn’t ask for more) which resolve to various places. The first address is a cable modem in Canada. The next is a cable modem in Korea (bora.net), and the last ones are various cable modems in the good ol’ USA.
It is highly unlikely that a Korean-Canadian-American conspiracy is at the root of this. Much more likely is that these five, among many other, home machines have been compromised and are acting as relay stations. The cache poisoning is used to distribute the relay stations so that any one of them can be removed from the net without compromising the entire system. A constant message refers to one of many relay machines, thus defeating simple blocking and further backtracking (at least at the level a professor can get to).