Well, THERE’S something you don’t see every day!

Lately, I’ve been getting a spate of “phishing” emails, at about two a day. These mails claim to come from a bank, and say something along the lines of “Your online banking has been suspended, you need to give us your banking details again.” They then point to a fake Web site that looks just like a real banking site, and try to dupe victims into typing their bank account numbers and passwords and such into the fake site. All pretty bog-standard so far.

The past few weeks has seen a very specific type of phish that’s relatively unusual; rather than trying to get me to type in my account number and password, these phish emails lead me to a site that tries to get me to download a “browser encryption update” to my computer. The “update” is, of course, a computer virus that records everything I do in my browser and sends it back to the hackers. A bit of a twist on the idea, but still basically the same thing.

What’s surprised me is the sophistication of these phishes. The fake Web sites have really long names, such as

http://ktt.key.ktt.cmd.logonFromKeyCom.productsremote.KUTglSiqAY.rnalid.viewcontent.ttioense.com/logon.htm
( *** WARNING *** *** WARNING *** *** WARNING *** This site is live as of the time of this writing, and WILL try to download malware onto your computer!)

What’s unusual about this is three things.

First, the hackers are registering a domain, rather than just hanging the phish off of a hacked Web site.

Second, the hackers are putting this domain on a large number of computers, probably hacked home PCs, spread out all over the world, so that if one of them is shut down the others will still work. As of the time of this typing, ttioense.com is living on ten different IP addresses in ten different parts of the world.

Third, the hackers are running their own name servers. They are hacking computers, setting up name servers on those computers, and then using those name servers to set up sites that pretend to be bank sites and try to download malware. Essentially, they are creating their own “shadow Internet”–their own Web sites set up on hacked computers, and their own domain name servers also set up on hacked computers.

Still pretty bog-standard, if technically sophisticated.

Hold on to your hat, Dorothy, because Kansas is about to go bye-bye.

As of the time of this writing, ttioense.com, the fake bank Web site that tries to download a virus, has two name servers:

Domain name: ttioense.com

Technical Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

Billing Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

DNS:
ns1.dabchecks.com
ns2.dabchecks.com

Created: 2008-10-15
Expires: 2009-10-15

Now, ns1.dabchecks.com is running on a server in the UK belonging to a company called UK Dedicated Servers Limited.

On the other hand, ns2.dabchecks.com…

ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center–a military network so paranoid that their main Web site won’t let you log on unless you have a special access card and you’re connecting from a .mil address.

whois 22.25.119.21

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 22.0.0.0 – 22.255.255.255
CIDR: 22.0.0.0/8
NetName: NICS0175
NetHandle: NET-22-0-0-0-1
Parent:
NetType: Direct Allocation
Comment:
RegDate: 1989-06-26
Updated: 2007-07-06

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil

And that isn’t something you see every day.