trafficersolutions.com – A Subtle Threat Extended

User avatar
A440
Posts: 2327
Joined: Sat Nov 20, 2010 1:56 am

Another one . . .

Post by A440 » Sat Oct 05, 2019 5:03 pm

Here is another scam site that has spammed me about my site registration:

domainseo-renewal.info

User avatar
MarkGiles
Posts: 2067
Joined: Wed Mar 30, 2011 2:40 am
Contact:

Re: trafficersolutions.com – A Subtle Threat Extended

Post by MarkGiles » Tue Oct 08, 2019 1:24 am

Please see my previous posting.

What am I missing here?

domainseo-renewal.info is hosted somewhere, and is reverse proxied by Cloudflare.
domainseo-renewal.info has address 104.27.162.52
domainseo-renewal.info has address 104.27.163.52

(There are over 800 hosts reverse proxied on those addresses)

It was registered on Namecheap on 2019-09-25

When loaded in a browser:
This domainseo-renewal.info page can’t be found
No webpage was found for the web address: http://domainseo-renewal.info/
So is it only serving up a page from certain referral locations, email links, or URLs?

User avatar
Myxt
Posts: 2089
Joined: Sat Mar 05, 2011 6:18 am

Re: trafficersolutions.com – A Subtle Threat Extended

Post by Myxt » Tue Oct 08, 2019 11:27 am

MarkGiles wrote: ↑
Tue Oct 08, 2019 1:24 am
What am I missing here?

When loaded in a browser:
This domainseo-renewal.info page can’t be found
No webpage was found for the web address: _http://domainseo-renewal.info/
So is it only serving up a page from certain referral locations, email links, or URLs?
The short answer is Yes. Referring to the known URLs section in
_https://www.virustotal.com/gui/domain/domainseo-renewal.info/relations
we can see that this particular domain expects to process parameters in the form
_https://domainseo-renewal.info/[subdirectory_or_filename]
where subdirectory_or_filename = yourDomain.TLD. This guy is either not wealthy or smart enough to set up a database where random_token = yourDomain.TLD, and then send you a link containing only the random_token (which we couldn't know); therefore, we may be able to trick him into spamming the U.S. Federal Trade Commission (which hunts such people) by loading our own link
_https://domainseo-renewal.info/ftc.gov
and, yes, a very much live and functional domainseo-renewal.info redirects us to payment address
_https://www.seoscout24.com/payment2?domain=ftc.gov&email=&package=2&aff_id=32113
in which variable=value parameters are encoded in the queryString (search string) portion of the URL.

EDIT: Applying this same trick to A440's previously reported seo-domain-renew.pro shows it's alive and functional.

Generally speaking, in addition to chain-redirections, many scammers are migrating to client and even server tricks that require a complex URL (with parameters that identify email recipients, the specific scampaign, and possibly a specific iteration and/or region) to be loaded in a live browser with specific features, especially JavaScript, enabled.

If any of the required conditions are not met, the offending domain may redirect to an alternate site (innocuous or malicious) that is outside of the pathway to the intended scam, or it may present a partially or completely blank page (because the content is loaded by JavaScript, which is disabled), or it may return errors such as 404 or 500 (from real server errors or using pages designed to resemble custom or browser default error pages).

Therefore in many cases, simple domain names posted in lists in the WoT Forum cannot be verified by other members without the complete URL; yet posting the complete URL may expose the poster's real identity. Other spam URLs may contain recipients' domain names, email addresses, etc, encoded in base64 (e.g., "MarkGiles" = "TWFya0dpbGVz") - likely hoping that you think it's safe to publish the whole URL, or at least hoping that you won't know how to game it (e.g., "ZnRjLmdvdg" = "ftc.gov").
____

Now I have a question: how do you run a "passive DNS search" (like you mentioned above)? A brief search gave me the impression that passive DNS logs need to be compiled over a period of time, requiring one to either pay for access or compile his own.

User avatar
MarkGiles
Posts: 2067
Joined: Wed Mar 30, 2011 2:40 am
Contact:

Passive DNS

Post by MarkGiles » Thu Oct 10, 2019 1:21 am

Thank you for your impressive detailed response.


Concerning Passive DNS search -

These are usually fee paying services, but there are some exceptions.

* https://www.farsightsecurity.com/order-services/ has a grant for unpaid researchers for access to DNSDB. They have an application process.

* https://securitytrails.com/ provides a free sampler

If you want to test one out, try a search on this prolific Eva Pharmacy IP - 95.165.149.124
Responses may need some post-processing if necessary if you want to reduce the results to domain names instead of full URLs.

User avatar
A440
Posts: 2327
Joined: Sat Nov 20, 2010 1:56 am

Re: trafficersolutions.com – A Subtle Threat Extended

Post by A440 » Fri Oct 11, 2019 6:27 am

MarkGiles wrote: ↑
Tue Oct 08, 2019 1:24 am
Please see my previous posting.

What am I missing here?

domainseo-renewal.info is hosted somewhere, and is reverse proxied by Cloudflare.
domainseo-renewal.info has address 104.27.162.52
domainseo-renewal.info has address 104.27.163.52

(There are over 800 hosts reverse proxied on those addresses)

etcetera . . .

So is it only serving up a page from certain referral locations, email links, or URLs?
That is an excellent question. Mark is correct in that the URL only works when the entire string from the spam is entered, which includes the spammed domain name. Anything else is kick back as "sorry, doesn't exist". Kudos to Mark's diligence!

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 1 guest