Although I had promised that there wouldn’t be any more articles / blog-posts on SURL Analyzer, which has now been renamed to “SMART Filter”, however, this particular blog-post is an exception. A few days back ie. on 10th Jan 2013, when we came across a tweet, which mentioned about a particular URL being used in phishing attempt against twitter users. We couldn’t resist ourselves into testing the analyzer.
Suspect URL: hxxp://itwtier[.]com/9/verify/?&account_secure_login
For this test to be successful, we tested not only the URL in question but also twitter.com
twitter.com
Checking 2: https://twitter.com/search Checking 2: https://twitter.com/sessions/change_locale Checking 2: https://twitter.com/sessions Checking 2: https://twitter.com/signup Results=0 Analysis Time=0.110387716061872 seconds Total Time=2.43123417080244 seconds
itwtier.com
Checking 3: https://itwtier.com/9/verify/app1/login.php Ac=1 #Phish Checking 4: https://itwtier.com/9/verify/app1/login.php AcD2=1 #Exp #Phish Results=2 Analysis Time=0.0108088408332639 seconds Total Time=0.253689396554118 seconds
Screenshots:
using command-line version of the analyzer
In the previous blog-post, I had mentioned about using the information gathered from whois query and this time we will be using the registrant email id for more lookups.
Whois : itwtier.com
Domain Name………. itwtier.com Creation Date…….. 2013-01-08 Registration Date…. 2013-01-08 Expiry Date………. 2014-01-08 Admin Email………. liangyan997@hotmail.com Admin Phone………. +86.2187751100 Admin Fax………… +86.2187751100 Organisation Name…. fang yun Organisation Address. Shang hai City Organisation Address. Shang Hai Organisation Address. 200000 Organisation Address. SH Organisation Address. CNDNS Query : dig itwtier.com ANY
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0itwtier.com. IN ANY
itwtier.com. 3599 IN SOA ns2.dns.com.cn. root.ns2.dns.com.cn.
2013010820 3600 3600 68400 180
itwtier.com. 3599 IN A 210.209.115.76
itwtier.com. 3599 IN NS ns14.dns.com.cn.
itwtier.com. 3599 IN NS ns13.dns.com.cn.
;; Query time: 381 msec
Since, Registrant-ID is not available , we will use the email-id and we find yet another domain “itvwtter.com” registered on 2013-01-04 using the same email id.
Proof: https://www.phishtank.com/phish_detail.php?phish_id=1687483 https://pastebin.com/T1UuBkj2“SMART Filter” detects this attempt too.
1 Comments
Pingback: Phishing: Customer Satisfaction Survey | Welcome to the eScan Blog