Saturday, July 27, 2013

Tariff DNS Scam Email - DreamHost Phishing Scam

Recently, I received an email that was supposed to have come from my hosting company. It said I needed to confirm a request for changing of a tariff plan. Although, the wording was awful and it was very non-specific as to the recipient. The email I got was as follows:

Dear DreamHost client,

In your account has been created request for changing of a tariff plan. 
It is necessary confirmation of this request. 
You can do it in the section (Change tariff) Virtual Offices :

https://dreamhost.com/login.aspx?ts=domain.org?
19abc7f04ff-c0ac4315-99bf3-55dcbd7ec5c44AECA3E759B1992CFA6Ad4

Sincerely,

DreamHost hosting Team.


Someone who is rushing may not read the contents of this email and just click link. This clever scammer set up a catch-all subdomain so that the link would even appear to be directing to dreamhost. The link would take you here:

http://panel.dreamhost.com.login.2qjesez0l6dlilz4tuz67gzzz1bkwp4lyg3apxo1jrzimfx27l9wbbgbuaf72m.vqp9gqp87c8za6gayfc0fvryrbzkczg4r4u5f95me64v9q1ddk99x4qcoo85e.eyt0b3of65cvtd5c6shn2baq8xslyuj4yckz72tgwok4n5npixapz02xr3viztc.kidea.com/login.php?domain=domain.org

At first glance, this appears to go to http://panel.dreamhost.com, but notice that it is really all part of a complex sub-domain meant to confuse the recipient. The root domain is actually: kidea.com

Looking at the whois record for this domain we can find out the following information.

This domain is hosted by tucows.com and resolves with domain servers to bluehost.com by a company with the following registration record:

XOL Holding
Beirut
Beirut, Beirut xxxxx
LB

The technical contact information for this domain is:
Nassar Center
5th Floor
Charles El-Helou Avenue, Rmeil
Beirut,  20727508
LB

This happens to be the ISP end point, a company in Lebanon called Terra Net. This company has chosen to not disclose more information about the scammers.

So looking at the main website for kidea.com, we find out some interesting information. One, that they used a company called art-promotion to build and design their site. This company happens to also be in Lebanon, so I looked up their whois and found that they were also hosted on bluehost.com and contact information.

Saab, Jean web@artpromotion-lb.com
Art Promotion
Nahr el Mot
Beirut, -
Lebanon
+961.3737247

So I went to look closer at kidea.com and found that this might be a cover site (or some poor site that got hacked). The poor design and lack of ecommerce functionality is what seem to indicate that there was more than what meets the eye.You can't checkout with any of the items they sell. It's difficult to think that isn't part of the scam.

Regardless of who this phishing scam came from, be sure to take the time to read your emails before you go clicking links and signing in.




No comments:

Post a Comment