Its too early to know if this attempt to steal userids and passwords for some of those eleven million domain names is related to the announcement that ICANN has terminated ESTDomains privileges. As we mentioned yesterday, the absence of ESTDomains may be a great inconvenience to criminals who are accustomed to using their services to register new domains for their criminal activities.
The spam from the earlier version looked like this:
Dear eNom Customer,
Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable:
* Main site
* All web hosting services
* Email services
* Communication with the registry affecting new registrations, renewals, and transfers
For access your account follow this link - http://www.enom.com
The following services will not be affected and will continue to be fully operational:
* DNS will resolve normally - although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period
* Email forwarding and site redirection will operate normally
We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience.
Sincerely,
eNom Tech Support
The UAB Spam Data Mine received 298 copies of the earlier campaign, which resolved to seven unique domain names. Instead of sending the user to the actual domain for Enom, they were redirected to:
www.enom.com.com62.biz
www.enom.com.com72.biz
www.enom.com.com82.biz
www.enom.com.com92.biz
www.enom.com.com94.net
www.enom.com.sys52.net
www.enom.com.sys82.net
The email subject lines for the first batch were:
Maintenance
Maintenance at eNom
Maintenance at eNom - attention
Maintenance at eNom - warning
Maintenance at eNom.com
Maintenance at eNom.com - attention!
Maintenance at eNom.com - warning!
Sending names including:
eNom Inc
eNom Support
eNom Support Team
eNom Team
eNom Tech Support
eNomCentral Inc
eNomCentral Support
eNomCentral Team
eNomCentral Tech Support
From addresses were customercare@enom.com, info@enom.com, info2@enom.com, support@enom.com, or tech@enom.com
We got roughly fifty of these spam messages so far today. Here's a typical one:
=====================
Dear user,
On Wed, 29 Oct 2008 12:22:39 +0530 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.
The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 12:22:39 +0530 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.
PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com
If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:
Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260
LINK TO CHANGE INFORMATION - http://www.enom.com
Thank you,
Domain Services
[IncidentID:85036]
==================
The domains are of course Fast Flux hosted. At the moment of this writing each resolves to the following IP addresses:
67.242.30.251,
70.68.199.207,
71.230.88.68,
72.2.13.24
75.142.147.100
76.112.161.176,
76.235.212.56,
98.218.41.200,
99.245.182.179
209.252.169.130
But a quick history shows that they have also resolved to all of the following:
4.131.44.218
4.225.16.4
4.230.36.134
24.0.221.127
24.12.32.221
24.17.79.94
24.34.234.234
24.57.239.96
24.90.69.49
24.155.156.60
65.26.133.98
65.182.248.145
66.30.49.194
66.41.3.128
66.90.155.188
67.194.1.247
67.242.30.251
68.48.197.101
68.80.158.76
68.83.84.60
68.144.113.175
68.202.51.123
68.213.120.90
68.253.214.145
69.208.80.218
69.208.81.37
69.246.209.106
70.68.199.207
70.233.103.108
70.242.26.59
70.242.129.184
70.255.173.205
71.130.124.202
71.230.88.68
71.233.134.155
71.235.96.203
72.2.13.24
72.133.38.192
72.174.41.36
72.234.87.137
74.84.1.122
74.132.157.170
75.18.202.195
75.136.210.9
75.142.147.100
75.185.182.235
76.10.46.213
76.18.82.141
76.29.169.13
76.112.161.176
76.192.142.24
76.221.179.34
76.235.209.24
76.235.212.56
76.239.27.252
78.82.247.245
79.78.161.25
82.19.94.16
82.26.78.119
86.4.20.212
86.24.2.130
86.125.194.7
89.228.44.116
92.233.32.122
97.104.23.70
98.31.42.138
98.195.45.85
98.209.207.77
98.216.91.22
98.218.41.200
98.229.69.62
99.140.162.151
99.245.182.179
130.63.186.128
144.139.119.7
169.231.76.183
200.116.212.106
203.100.23.182
208.54.219.161
209.23.100.18
209.252.169.130
220.101.127.188
220.235.34.207
This botnet of hosting machines is also associated with the group of child pornography servers. These domains use "ns4.nastynameserver.com" (ns5, ns6) and "ns1.xwhlwww.com" as their nameservers, with such domains as "littlelolita", "lolita-bbs", and "nude-kids", "xlsites" and others. (More information available to law enforcement, just ask.)
0 comments:
Post a Comment