Well, THERE’S something you don’t see every day!

Lately, I’ve been getting a spate of “phishing” emails, at about two a day. These mails claim to come from a bank, and say something along the lines of “Your online banking has been suspended, you need to give us your banking details again.” They then point to a fake Web site that looks just like a real banking site, and try to dupe victims into typing their bank account numbers and passwords and such into the fake site. All pretty bog-standard so far.

The past few weeks has seen a very specific type of phish that’s relatively unusual; rather than trying to get me to type in my account number and password, these phish emails lead me to a site that tries to get me to download a “browser encryption update” to my computer. The “update” is, of course, a computer virus that records everything I do in my browser and sends it back to the hackers. A bit of a twist on the idea, but still basically the same thing.

What’s surprised me is the sophistication of these phishes. The fake Web sites have really long names, such as

http://ktt.key.ktt.cmd.logonFromKeyCom.productsremote.KUTglSiqAY.rnalid.viewcontent.ttioense.com/logon.htm
( *** WARNING *** *** WARNING *** *** WARNING *** This site is live as of the time of this writing, and WILL try to download malware onto your computer!)

What’s unusual about this is three things.

First, the hackers are registering a domain, rather than just hanging the phish off of a hacked Web site.

Second, the hackers are putting this domain on a large number of computers, probably hacked home PCs, spread out all over the world, so that if one of them is shut down the others will still work. As of the time of this typing, ttioense.com is living on ten different IP addresses in ten different parts of the world.

Third, the hackers are running their own name servers. They are hacking computers, setting up name servers on those computers, and then using those name servers to set up sites that pretend to be bank sites and try to download malware. Essentially, they are creating their own “shadow Internet”–their own Web sites set up on hacked computers, and their own domain name servers also set up on hacked computers.

Still pretty bog-standard, if technically sophisticated.

Hold on to your hat, Dorothy, because Kansas is about to go bye-bye.

As of the time of this writing, ttioense.com, the fake bank Web site that tries to download a virus, has two name servers:

Domain name: ttioense.com

Technical Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

Billing Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us

DNS:
ns1.dabchecks.com
ns2.dabchecks.com

Created: 2008-10-15
Expires: 2009-10-15

Now, ns1.dabchecks.com is running on a server in the UK belonging to a company called UK Dedicated Servers Limited.

On the other hand, ns2.dabchecks.com…

ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center–a military network so paranoid that their main Web site won’t let you log on unless you have a special access card and you’re connecting from a .mil address.

whois 22.25.119.21

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 22.0.0.0 – 22.255.255.255
CIDR: 22.0.0.0/8
NetName: NICS0175
NetHandle: NET-22-0-0-0-1
Parent:
NetType: Direct Allocation
Comment:
RegDate: 1989-06-26
Updated: 2007-07-06

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil

And that isn’t something you see every day.

74 thoughts on “Well, THERE’S something you don’t see every day!

  1. Does this mean we have hackers hacking the Pentagon to run a phishing scam, or the military getting so desperate for cash that *they’re* running a phishing scam?

    best,

    Joel. Who has no idea how to tell.

    • If the military were to set up such a scam, they wouldn’t use their own IP addresses. The FBI recently conducted a multiyear sting operation aimed at hackers and credit card crackers, and they set up a fictitious forum on an ISP known to be friendly to criminal activity. There’s simply no need for the government, were it to do such things, to be so obvious.

      And the Pentagon isn’t exactly hurting for money; it gets more money for military spending than the entire rest of the world put together. The amount of money that even a wildly successful phishing expedition could bring in wouldn’t amount to more than a rounding error in one segment of one part of the Pentagon’s overall budget; they probably spend more money on paper clips in a year than what they could make by this sort of fraud.

      There’s no doubt in my mind that the government is willing to engage in fraud–just not this kind of pissant penny-ante low-level fraud.

  2. Does this mean we have hackers hacking the Pentagon to run a phishing scam, or the military getting so desperate for cash that *they’re* running a phishing scam?

    best,

    Joel. Who has no idea how to tell.

    • Heh. Of course, that happens when folks try to demonstrate those weaknesses by hacking them–which is, of course, profoundly stupid. Merely reporting on them is a different matter.

  3. This is seriously weird. If they hacked 22.25.119.21, then why on earth would they use it for something so silly? Perhaps they simply didn’t bother to see who they’d hit?

    I’m certain the NSA/DoD are doing some stuff we’ll never know about in service of our corporate overlords, but there’s just no way even human incompetence would explain publicly outing themselves in this manner.

    president/bomb/terrorist
    Hello TIA
    • That’s my guess. They probably hack sites by using automated tools like Metasploit, and don’t know or care who owns the IP addresses. I bet the folks responsible have no earthly clue they’ve hacked a server on an IP range belonging to the DoD.

      At least not yet.

  4. This is seriously weird. If they hacked 22.25.119.21, then why on earth would they use it for something so silly? Perhaps they simply didn’t bother to see who they’d hit?

    I’m certain the NSA/DoD are doing some stuff we’ll never know about in service of our corporate overlords, but there’s just no way even human incompetence would explain publicly outing themselves in this manner.

    president/bomb/terrorist
    Hello TIA
  5. In a purely theoretical way, I’ve long wondered if mail spam couldn’t be turned into some kind of tool for a military power. Each individual spam itself wouldn’t be very useful, but a huge swarm of spam could give you statistical measurements of some kind, of the state of the internet backbone, or people’s individual machines, all kinds of things.

    What I like about this theory, is that it brings John Q Public into the battlefield. Which kind-of juibes with a lot of other things I can’t help but notice.

    • Actually, youre pretty close to something that’s used routinely. The kind, amount, and pattern of spam is often used to get a rough approximation of the size of different botnets. Botnets are frequently used to send spam, and comparing the volumes of spam with botnet command and control traffic coming from the same IP address, and then comparing that spam with other related spam, gives researchers a pretty nice approximation of the size of the botnets in question.

  6. In a purely theoretical way, I’ve long wondered if mail spam couldn’t be turned into some kind of tool for a military power. Each individual spam itself wouldn’t be very useful, but a huge swarm of spam could give you statistical measurements of some kind, of the state of the internet backbone, or people’s individual machines, all kinds of things.

    What I like about this theory, is that it brings John Q Public into the battlefield. Which kind-of juibes with a lot of other things I can’t help but notice.

  7. ummmmmmm… I have no idea what you are trying to say here- avoid said website? *scratches head in confusion*….
    nope. I’ve decided that perhaps I’m simply not geek enough to grok it…something about banks?

    • Basically…

      The hackers, in an effort to spread out and control more machines, converted a military Department of Defense machine.

      He was remarking about how hard this is to do (They got some SERIOUS security) and how the hackers probably don’t realize this (if they do, they are VERY stupid or very clever. Talking either rainman here or einstein).

      • Re: Basically…

        My interpretation was that this was part of a US cyberwarfare initiative that could provide selectively trustworthy DNS service as soon as ns1 was shut off.

        • Re: Basically…

          That IS a possibility, but IMHO, it would border on to much paranoia for me to feel comfortable with taking as my own.

          Then again, just because you are paranoid doesn’t mean they aren’t out to get you anyway. 🙂

        • Re: Basically…

          I’m skeptical about that. If it were so, why put ns1 on a compromised box in the UK? More likely, I think, is that the criminals set up their own name severs on hacked boxes–a common technique used by many of the more technically inclined phishers and hackers–but simply didn’t realize that one of the boxes they hacked was living in DoD IP space.

          I find it easier to believe that someone left an unsecured box running in what is supposed to be a secure IP range than that the government is setting up its own phantom name servers. The domain dabchecks.com is registered with bizcn.com, a registrar in China; a government agency wanting to set up a name server they controlled wouldn’t register it in China, because the Chinese could, any time they wanted, simply pull the plug on the registration.

          • Re: Basically…

            If it were so, why put ns1 on a compromised box in the UK?

            Shoddy tradecraft? 🙂

            But you’re right — they probably just don’t know what’s going on.

      • Re: Basically…

        hmm Rainman isn’t a very good example of stupid- sure the fictionalized autistic man had a disability but he wasn’t stupid….. just had great difficulty processing information effectively(plus an emotionally charged issue with his “brother”) & even highly intelligent people can do stupid things with the encouragement & arm twisting of friends(say Einstein’s involvement in the development of the bomb?)… sorry it’s early even for *me* (I’m a morning person)- that’s the best I got while re-thinking it & re-reading your comment (plus double checking with my brilliant but geeky partner 🙂

        • Re: Basically…

          Rainman was the best I could come up with in my rush. If you know of another very stupid person who everyone would know, please feel free to replace rainman with that person. 🙂

          • Re: Basically…

            See… I was going to say this…

            But while he may not be that smart, he is smart enough to be sociable with the right people and smart enough to get elected. Granted, he’s not smart enough to make the right decisions, but I’m looking for the level of stupid that is even below his level.

            Also, I didn’t want to pick a political party. I could have as easily said Clinton, but that would’ve been pushing it into an area I didn’t want to go. 🙂

          • Re: Basically…

            Heh. I think Clinton was savvier than W; he got his graduate degree from Oxford on a Rhodes scholarship, after all. They don’t hand those out to dummies–not even to wealthy, politically-connected dummies.

          • Re: Basically…

            hmmm tHe & Gump sare in totally different categories- one’s a louudmouted twi that never should hve been president & one’s a bumbler who gets through life successfully by going with his strength- basically he didn’t know what should have been impossible & therefore he accomplished the impossible- his charisma is that he’s honest & sweet& considerate,kind reliable *and* he’s honest, unlike the *other* we’re dicussing that would have made a great supervillian’s henchmen….

          • Re: Basically…

            drat!… now you’ve done it- you’ve gone & made me think…. If I don’t come up with anyone it’ll bother me all day (one of the joys of having way too much time on your hands
            *rolls eyes*

          • Re: Basically…

            Forest Gump… How’s that? 🙂

            and no. You can’t use the same arguments I used for Bush. Gump was moved forward by random chances. Not by his own planning.

          • Re: Basically…

            I was under the impression that you were looking for a fictional character instead of one we all *wish* was fictional?

    • Many criminals on the Internet make money by setting up fake Web sites that look like your bank’s Web site, then tricking people into typing their bank account number and password into the fake Web sites. (Any time you get an email that says it is from your bank and tells you to go to a certain link in order to “validate your account” or that sort of thing, it’s a criminal trying to trick you with a fake Web site.)

      The criminals collect bank account numbers and passwords from these fake Web sites, then empty out the accounts. It’s big business.

      That’s what’s going on here. Hackers have created a fake bank Web site that is supposed to trick people into thinking it belongs to Key Bank. Part of the network that they set up to make this fake Web site is living on a hacked computer on an IP address belonging to the Defense Department.

  8. ummmmmmm… I have no idea what you are trying to say here- avoid said website? *scratches head in confusion*….
    nope. I’ve decided that perhaps I’m simply not geek enough to grok it…something about banks?

  9. Basically…

    The hackers, in an effort to spread out and control more machines, converted a military Department of Defense machine.

    He was remarking about how hard this is to do (They got some SERIOUS security) and how the hackers probably don’t realize this (if they do, they are VERY stupid or very clever. Talking either rainman here or einstein).

  10. “ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center–a military network so paranoid that their main Web site won’t let you log on unless you have a special access card and you’re connecting from a .mil address.”

    LMFAO

  11. “ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center–a military network so paranoid that their main Web site won’t let you log on unless you have a special access card and you’re connecting from a .mil address.”

    LMFAO

  12. Re: Basically…

    IMHO, No.

    They probably didn’t check to see what happened. So I’m voting on very stupid. 🙂

    Basically, when the Military finds out (and they will), all hell will break loose on these hackers.

  13. Re: Basically…

    My interpretation was that this was part of a US cyberwarfare initiative that could provide selectively trustworthy DNS service as soon as ns1 was shut off.

  14. Re: Basically…

    hmm Rainman isn’t a very good example of stupid- sure the fictionalized autistic man had a disability but he wasn’t stupid….. just had great difficulty processing information effectively(plus an emotionally charged issue with his “brother”) & even highly intelligent people can do stupid things with the encouragement & arm twisting of friends(say Einstein’s involvement in the development of the bomb?)… sorry it’s early even for *me* (I’m a morning person)- that’s the best I got while re-thinking it & re-reading your comment (plus double checking with my brilliant but geeky partner 🙂

  15. Re: Basically…

    Rainman was the best I could come up with in my rush. If you know of another very stupid person who everyone would know, please feel free to replace rainman with that person. 🙂

  16. Re: Basically…

    That IS a possibility, but IMHO, it would border on to much paranoia for me to feel comfortable with taking as my own.

    Then again, just because you are paranoid doesn’t mean they aren’t out to get you anyway. 🙂

  17. Re: Basically…

    drat!… now you’ve done it- you’ve gone & made me think…. If I don’t come up with anyone it’ll bother me all day (one of the joys of having way too much time on your hands
    *rolls eyes*

  18. Re: Basically…

    See… I was going to say this…

    But while he may not be that smart, he is smart enough to be sociable with the right people and smart enough to get elected. Granted, he’s not smart enough to make the right decisions, but I’m looking for the level of stupid that is even below his level.

    Also, I didn’t want to pick a political party. I could have as easily said Clinton, but that would’ve been pushing it into an area I didn’t want to go. 🙂

  19. Re: Basically…

    Forest Gump… How’s that? 🙂

    and no. You can’t use the same arguments I used for Bush. Gump was moved forward by random chances. Not by his own planning.

  20. If the military were to set up such a scam, they wouldn’t use their own IP addresses. The FBI recently conducted a multiyear sting operation aimed at hackers and credit card crackers, and they set up a fictitious forum on an ISP known to be friendly to criminal activity. There’s simply no need for the government, were it to do such things, to be so obvious.

    And the Pentagon isn’t exactly hurting for money; it gets more money for military spending than the entire rest of the world put together. The amount of money that even a wildly successful phishing expedition could bring in wouldn’t amount to more than a rounding error in one segment of one part of the Pentagon’s overall budget; they probably spend more money on paper clips in a year than what they could make by this sort of fraud.

    There’s no doubt in my mind that the government is willing to engage in fraud–just not this kind of pissant penny-ante low-level fraud.

  21. Heh. Of course, that happens when folks try to demonstrate those weaknesses by hacking them–which is, of course, profoundly stupid. Merely reporting on them is a different matter.

  22. That’s my guess. They probably hack sites by using automated tools like Metasploit, and don’t know or care who owns the IP addresses. I bet the folks responsible have no earthly clue they’ve hacked a server on an IP range belonging to the DoD.

    At least not yet.

  23. Actually, youre pretty close to something that’s used routinely. The kind, amount, and pattern of spam is often used to get a rough approximation of the size of different botnets. Botnets are frequently used to send spam, and comparing the volumes of spam with botnet command and control traffic coming from the same IP address, and then comparing that spam with other related spam, gives researchers a pretty nice approximation of the size of the botnets in question.

  24. Many criminals on the Internet make money by setting up fake Web sites that look like your bank’s Web site, then tricking people into typing their bank account number and password into the fake Web sites. (Any time you get an email that says it is from your bank and tells you to go to a certain link in order to “validate your account” or that sort of thing, it’s a criminal trying to trick you with a fake Web site.)

    The criminals collect bank account numbers and passwords from these fake Web sites, then empty out the accounts. It’s big business.

    That’s what’s going on here. Hackers have created a fake bank Web site that is supposed to trick people into thinking it belongs to Key Bank. Part of the network that they set up to make this fake Web site is living on a hacked computer on an IP address belonging to the Defense Department.

  25. Yeah. I bet when someone finally gets ’round to noticing that the machine on that IP address has been breached, someone else will be in a world of hurt.

  26. Re: Basically…

    I’m skeptical about that. If it were so, why put ns1 on a compromised box in the UK? More likely, I think, is that the criminals set up their own name severs on hacked boxes–a common technique used by many of the more technically inclined phishers and hackers–but simply didn’t realize that one of the boxes they hacked was living in DoD IP space.

    I find it easier to believe that someone left an unsecured box running in what is supposed to be a secure IP range than that the government is setting up its own phantom name servers. The domain dabchecks.com is registered with bizcn.com, a registrar in China; a government agency wanting to set up a name server they controlled wouldn’t register it in China, because the Chinese could, any time they wanted, simply pull the plug on the registration.

  27. Re: Basically…

    Heh. I think Clinton was savvier than W; he got his graduate degree from Oxford on a Rhodes scholarship, after all. They don’t hand those out to dummies–not even to wealthy, politically-connected dummies.

  28. Re: Basically…

    hmmm tHe & Gump sare in totally different categories- one’s a louudmouted twi that never should hve been president & one’s a bumbler who gets through life successfully by going with his strength- basically he didn’t know what should have been impossible & therefore he accomplished the impossible- his charisma is that he’s honest & sweet& considerate,kind reliable *and* he’s honest, unlike the *other* we’re dicussing that would have made a great supervillian’s henchmen….

  29. Re: Basically…

    If it were so, why put ns1 on a compromised box in the UK?

    Shoddy tradecraft? 🙂

    But you’re right — they probably just don’t know what’s going on.

  30. Heh. I just got one of these:

    http://direct.
    bankofamerica.usanationwide.
    memberverify.portalserver.
    9ggevhfqw.loexeiv.com/control.htm
    ?/viewcontent/verification/OSL.htm
    ?LOB=13075756&refer=XftZjTTe9ggEVHf

    What struck *me* as odd was the second question mark…

  31. Heh. I just got one of these:

    http://direct.
    bankofamerica.usanationwide.
    memberverify.portalserver.
    9ggevhfqw.loexeiv.com/control.htm
    ?/viewcontent/verification/OSL.htm
    ?LOB=13075756&refer=XftZjTTe9ggEVHf

    What struck *me* as odd was the second question mark…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.