Tracking emptiness, or attacks on non-existent resources

    image

    Recently, there has been a lot of talk that social networks and instant messengers look into personal correspondence and use it for their own purposes. After the next throw in the direction of the now-new-fashioned Telegram, there were thoughts to conduct another study on this topic.

    At the end of September, my colleague and I participated in the filming of a plot for Channel One with a story about phishing schemes of Internet scammers. In order to show reporters some details of such “fishing,” the Odnoklassniki.ru double was registered at m.odnoklassnliki.ru. A copy of the mobile version of the social network with the extra letter “l”, created in a couple of minutes using the Social-Engineer Toolkit (SET), was not added to any search engines and was intended for practical demonstration of data interception.

    After the shooting, the fake was removed, but even during the preparation we were interested in the statistics of page visits: the IP addresses of the guests belonged to mail.ru, Microsoft, LeaseWeb, Selectel Ltd. We decided to create another empty site on another domain - milcrosoft.com in order to systematize the interest shown in the unknown phishing site by various monitoring systems, and then see who appears in the logs if the link is sent by a personal message to the domain level above - office365.milcrosoft.com .

    Initial configuration


    There was no text and multimedia data on the page, and nginx settings meant issuing a blank page when visiting the resource:

    server {
    listen 80;
    server_name milcrosoft.com www.milcrosoft.com;

    if ($ host! ~ ^ (milcrosoft.com | www.milcrosoft.com) $) {
    return 444;
    }

    if ($ request_method! ~ ^ (GET) $) {
    return 444;
    }

    access_log /var/log/access.log main;
    error_log /var/log/error.log;

    location / {
    root / var / www / milcrosoft;
    index index.php index.html index.htm;
    }

    error_page 404 500 501 502 504 /error.html;

    }

    The same configuration was used for the second domain office365.milcrosoft.com.

    Part One - Internet Bots

    The fastest was the Chinese with the address 110.75.105.9 owned by Zhejiang Taobao Network Co., Ltd. This bot appeared on the first day of the site.

    The next day, the robots of Google, Yahoo, BING, Baidu search engines entered the page with GET / HTTP / 1.1 and GET /robots.txt HTTP / 1.1 requests.

    Among the companies involved in security, it is worth noting Kaspersky Lab, its bot with IP 93.159.230.39, may have analyzed the page for its reputation system. Other anti-virus companies did not visit the page. Apparently, similar statistics were collected by the phishmongers.com bot (198.186.192.44), the “competitive scouts” with the aiHitBot spy and the creators of the anti-phishing panel, Netcraft, which sent a HEAD / HTTP / 1.1 request on the 14th day of the page’s life.

    A lot of curiosity was also shown by the "crawlers" from DomainSONOCrawler, who came to us several times a day under various user agents, as well as the Chinese from crawl.baidu.com .

    It is worth noting the South Korean visitors from BORANET (211.36.137.129) with the request GET / hardware / warr HTTP / 1.1 (probably addressed to microsoft.com/hardware/warranties ) who came in from the SAMSUNG SM-G920L smartphone. In general, there were a lot of requests from mobile devices, most of all from iPhone, and most likely they were the result of errors when typing the name of the official MS website.

    Also, guests from CHINANET (115.195.117.24) with the user agent WIN98 were surprised.

    Attacks on the admin panel

    On the third day, from the address 91.210.145.15, located in Zheltye Vody near Dnepropetrovsk, “admins” began to tap. The following requests came from the ICTNET-UA-NET network name:

    GET /wp-login.php HTTP / 1.1 (definition of the WordPress admin panel)

    GET /administrator/index.php HTTP / 1.1 (definition of the Joomla! Panel)

    GET /admin.php HTTP / 1.1 (admin panel definition)

    image

    The next day, such requests were recorded from the address 193.201.227.78 (Ukraine), and then from the address 46.216.0.141 (Belarus). Geographical affiliation, of course, does not play any role, anyone can buy a VPS anywhere.

    For what purpose are such requests made? Since we did not set ourselves the goal of creating a fully functional hanepot, we can only assume that they pose the greatest threat to the pages that have just been created on such popular engines as WordPress or Joomla! .. If the owner did not manage to change the default password, they may not notice him add malicious code or use the site to spam or intercept confidential information.

    Among other visitors to the test page, it is worth noting Societe Francaise du Radiotelephone (93.20.177.34) with a request GET /favicon.ico HTTP / 1, numerous visits to www.best-seo-report.com from various addresses and guests from the TOR network (IP 192.99 .246.164) with the name tor-exit.ethanro.se and the address in the user agent headerwww.pizza-tycoon.com .

    One of the last days of our experiment, from the Brazilian address 201.93.81.118, we again checked access to the WordPress admin panel with the GET request /wp-login.php HTTP / 1.1. In addition, a message GET /? Author = 1 HTTP / 1.0 was sent with IP 119.82.24.111.

    Part Two - Reading Correspondence

    In the future, we checked how carefully social networks and popular messengers relate to links in personal messages. About two years ago, Microsoft was already caught in this . Then two employees of a German online publication exchanged HTTPS links on Skype and after a few hours found traces in the server logs indicating a visit from the Microsoft IP address. And this fall, Reddit users even discussed rumors that Facebook had learned to display contextual advertising based on keywords in voice communication. One reader claimed that his FB started showing ads in Spanish after he became interested in Spanish TV shows.

    It seems too early to investigate spying on social networks for voice traffic, so we limited ourselves to sending a link to our page inside messages to other subscribers. The recipient of the message did not go to this address, so as not to introduce excessive entropy.

    image

    As it turned out, the bots Skype, Twitter, Facebook and VKontakte are actively visiting the page whose address is transmitted in private correspondence. Telegram also does this, however, if you enable the "Secret chat" mode in this messenger, the robot stops following the transmitted link.

    Also popular now: