What do you get if you cross MSN + scammers + a rogue Chinese ISP? That's right folks, a whole lot of phishing phun!
NB: Those previously at 121.54.174.* moved to .171 after their 174.* IP's were shut off, these will be reflected in the main hpHosts database when someone queries the respective domains report pages
My friend Jonathan has been tracking and keeping me updated on this, to both keep me abreast of any new domains I've not yet noticed that are involved, and his progress on getting the ISP to take action and disable the IP's involved.
You can probably guess from my posting this, that the ISP hasn't exactly been err, an ISP, or not a responsible one anyway - all of the domains are still live, there's been new ones popping up (the newest one being i-tracked-who-blocked-me.com), and the response from the ISP? it's one of their clients, so not their responsibility .... where have I heard this before?
Lets get to that shall we? The IPNB info shows the following;
For those unaware, 126.com is a Chinese ISP, and unrelated to this incident.
"iJoos Network Solutions" doesn't exist from what I'm seeing, and given the contact address provided by this "owner", coupled with the company not existing, suggests the information is actually fake.
So where does Sun Network fit in? Not surprisingly, they're the AS responsible for this IP block;
38197 126.96.36.199/24 SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited
Alas, they're claiming it's simply their customer and not their responsibility ..... as I said before - where have I heard that before.
Dear Sun Network, allow me to point something out to you. When a customer signs up with YOUR COMPANY, they are required to agree to an AUP/TOS, which unless you've deliberately missed it out, INCLUDES their NOT using your network for malicious purposes, in short - this is YOUR NETWORK and YOUR RESPONSIBILITY!. Given I've yet to see a single legit domain on this entire /24, and the sheer amount of malicious activity, I'm finding myself absolutely disgusted that you're refusing to deal with this.
As an aside, one of Sun Networks upstreams, Arcstar (AS9293), are also seeing malicious activity apparently;
With the other, AS9381, seeing a little activity;
Note, I'm still verifying the activity on the upstreams
Until Sun Network decide to cease providing a home for this rubbish, I'd strongly urge everyone blackhole their range. In the meantime, the following are the domains I'm presently aware of;
Those using Microsofts Security Essentials should be protected from this as they added detection for it a few days ago after Jonathan reported it to them;
I've not actually seen the trojan side of this yet, only the phishing sites, so if someone else has seen it, or has a sample that uses this IP range, I'd appreciate a copy of it/them.
/update 07-11-09 06:02
25 minutes or so after posting this (coinkydink?), Jonathan forwarded me the latest e-mail received from Sun Network that shows they've now given in to the abuse reports, and sent the following to their customer;
I'm a little skeptical as to the timing of this response, but aslong as the customer is booted or ALL of the malicious content is removed and further such stopped, then I'll be happy.
Excellent work Jonathan!
I forgot to add these two links for you guys and gals (related campaigns and further documentation on this particular one, from Sophos);
Pics for MSN Friends spams
“MSN Messenger Block Checker” spams