フィッシングサイト分析① - 【ソフトバンク】ご注意ください:緊急のお知らせ。
SMSで届いたフィッシングメールです。
https://t.co/xxxx
の形でリンクが作成されていました。
アクセスすると http://93gkkq.duckdns.org に遷移します。
% dig 93gkkq.duckdns.org
~~略~~
;; ANSWER SECTION:
93gkkq.duckdns.org. 60 IN A 199.167.138.162
~~略~~
% whois 199.167.138.162
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.arin.net
inetnum: 199.0.0.0 - 199.255.255.255
organisation: ARIN
status: ALLOCATED
whois: whois.arin.net
changed: 1993-05
source: IANA
# whois.arin.net
NetRange: 199.167.136.0 - 199.167.139.255
CIDR: 199.167.136.0/22
NetName: OL-372
NetHandle: NET-199-167-136-0-1
Parent: NET199 (NET-199-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Netminders Server Hosting (OL-372)
RegDate: 2020-01-22
Updated: 2021-04-12
Ref: https://rdap.arin.net/registry/ip/199.167.136.0
OrgName: Netminders Server Hosting
OrgId: OL-372
Address: Unit 18 - 16 Sims Crescent, Richmond Hill
City: Toronto
StateProv: ON
PostalCode: L4B 2P1
Country: CA
RegDate: 2020-07-14
Updated: 2021-11-04
Ref: https://rdap.arin.net/registry/entity/OL-372
OrgAbuseHandle: NDSAT-ARIN
OrgAbuseName: Netminders Data Solution Abuse Team
OrgAbusePhone: +1-647-812-1068
OrgAbuseEmail: abuseteam@net-minders.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/NDSAT-ARIN
OrgTechHandle: NDSN-ARIN
OrgTechName: Netminders Data Solution NOC
OrgTechPhone: +1-647-812-1068
OrgTechEmail: noc@net-minders.com
OrgTechRef: https://rdap.arin.net/registry/entity/NDSN-ARIN
ふむふむ(特に情報なし。)
アクセスするとiPhoneの場合だけ http://kc6wpx0lo.duckdns.org に遷移する模様。
% curl "http://93gkkq.duckdns.org"
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title></title>
<script type="module" crossorigin src="/assets/index-76a215d8.js"></script>
<link rel="stylesheet" href="/assets/index-2dcbde67.css">
</head>
<body>
<div id="app"></div>
<script>
if(navigator.userAgent.match(/(iPhone)/i)){
document.location.href = "http://kc6wpx0lo.duckdns.org";
}
</script>
</body>
</html>
ということでこのドメインについても簡単に確認を実施。
% dig kc6wpx0lo.duckdns.org
kc6wpx0lo.duckdns.org. 56 IN A 194.126.215.10
% 194.126.215.10
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.ripe.net
inetnum: 194.0.0.0 - 194.255.255.255
organisation: RIPE NCC
status: ALLOCATED
whois: whois.ripe.net
changed: 1993-05
source: IANA
# whois.ripe.net
inetnum: 194.126.215.0 - 194.126.215.255
netname: HK-ALLCLOUD2-20191122
country: GB
org: ORG-AL763-RIPE
admin-c: LZG4-RIPE
tech-c: LZG4-RIPE
status: ALLOCATED PA
mnt-by: mnt-hk-allcloud2-1
mnt-by: RIPE-NCC-HM-MNT
created: 2019-11-22T12:59:45Z
last-modified: 2019-11-22T14:05:22Z
source: RIPE
organisation: ORG-AL763-RIPE
org-name: ALLCLOUD Limited
country: HK
org-type: LIR
address: Room 34,4/F Beverley Commercial Centre, 87-105 Chatham Road,
Tsim Sha Tsui, Kowloon
address: 00000
address: Hong Kong
address: HONG KONG
phone: +85221090222
admin-c: LZG4-RIPE
tech-c: LZG4-RIPE
abuse-c: AR56922-RIPE
mnt-ref: mnt-hk-allcloud2-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-hk-allcloud2-1
created: 2019-11-21T07:22:13Z
last-modified: 2020-12-16T13:39:33Z
source: RIPE # Filtered
role: Luo Zhi Guang
address: Room 34,4/F Beverley Commercial Centre, 87-105 Chatham Road, Tsim Sha Tsui, Kowloon
address: 00000
address: Hong Kong
address: HONG KONG
phone: +85221090222
nic-hdl: LZG4-RIPE
mnt-by: mnt-hk-allcloud2-1
created: 2019-11-21T07:22:12Z
last-modified: 2019-11-21T07:22:12Z
source: RIPE # Filtered
% Information related to '194.126.215.0/24AS136038'
route: 194.126.215.0/24
origin: AS136038
descr: IP Transit
mnt-by: mnt-hk-allcloud2-1
created: 2022-04-06T05:26:35Z
last-modified: 2022-06-13T02:42:13Z
source: RIPE
% Information related to '194.126.215.0/24AS137427'
route: 194.126.215.0/24
origin: AS137427
descr: IP Transit
mnt-by: mnt-hk-allcloud2-1
mnt-by: mnt-hk-allcloud2-1
created: 2022-06-13T02:46:32Z
last-modified: 2022-06-13T02:46:32Z
source: RIPE
% Information related to '194.126.215.0/24AS205960'
route: 194.126.215.0/24
origin: AS205960
descr: IP Transit
mnt-by: mnt-hk-allcloud2-1
created: 2022-06-13T02:45:58Z
last-modified: 2022-06-13T02:45:58Z
source: RIPE
% Information related to '194.126.215.0/24AS35913'
route: 194.126.215.0/24
origin: AS35913
descr: Hostready Solutions
descr: Abuse address : elvis@hostreadysol.com
descr: Address : 4023 Kennett Pike
descr: # 50456 Wilmington, DE 19807
mnt-by: mnt-hk-allcloud2-1
created: 2023-05-02T13:30:42Z
last-modified: 2023-05-02T13:30:42Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.109 (BUSA)
中国(香港)が出てきている。この辺りはどういう情報なのかイマイチわからないので今後の課題。
アクセスすると http → https のリダイレクトがあり。証明書はLet's Encryptだった。
そしてここからはPCではアクセスできないようなのでUAをiPhoneにすると確認できる。
% curl -H "Host: t.co" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "sec-fetch-site: none" -H "sec-fetch-mode: navigate" -H "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1" -H "accept-language: ja" -H "sec-fetch-dest: document" --compressed "https://kc6wpx0lo.duckdns.org"
<!DOCTYPE html>
<html lang="ja">
<head>
<meta charset="UTF-8">
<link rel="icon" href="/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title></title>
<script type="module" crossorigin src="/assets/index-49331a6e.js"></script>
<link rel="stylesheet" href="/assets/index-c36ff64a.css">
<script type="text/javascript" src="https://cdn.bootscdns.org/ajax/libs/jquery/3.6.4/jquery.js"></script>
</head>
<body>
<div id="app"></div>
</body>
</html>
なるほど今っぽくvueで作られている。PCのSafariでUAを偽装しても動作が確認できなかったので実際の動きはiPhoneで調査。
トップページ
curl -H "Host: kc6wpx0lo.duckdns.org" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "sec-fetch-site: none" -H "sec-fetch-mode: navigate" -H "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1" -H "accept-language: ja" -H "sec-fetch-dest: document" --compressed "https://kc6wpx0lo.duckdns.org/"
カード番号入力ページ
curl -H "Host: kc6wpx0lo.duckdns.org" -H "Cookie: sessionid=ef657c91a9235e62bd9616916fff7537" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "sec-fetch-site: same-origin" -H "sec-fetch-dest: document" -H "accept-language: ja" -H "sec-fetch-mode: navigate" -H "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1" -H "referer: https://kc6wpx0lo.duckdns.org/" --compressed "https://kc6wpx0lo.duckdns.org/card"
カード番号送信リクエストはこんな感じ。
curl -H "Host: kc6wpx0lo.duckdns.org" -H "Cookie: sessionid=ef657c91a9235e62bd9616916fff7537" -H "content-type: application/json" -H "accept: application/json, text/plain, */*" -H "sec-fetch-site: same-origin" -H "accept-language: ja" -H "sec-fetch-mode: cors" -H "origin: https://kc6wpx0lo.duckdns.org" -H "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1" -H "referer: https://kc6wpx0lo.duckdns.org/card" -H "sec-fetch-dest: empty" --data-binary "{\"Origin\":\"GSVK\",\"val\":\"0123456789012345-10000|0123456788012344-30000|\",\"page\":\"1\"}" --compressed "https://kc6wpx0lo.duckdns.org/public/putcard"
画像アップロードページ
curl -H "Host: kc6wpx0lo.duckdns.org" -H "Cookie: sessionid=ef657c91a9235e62bd9616916fff7537" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "sec-fetch-site: same-origin" -H "sec-fetch-dest: document" -H "accept-language: ja" -H "sec-fetch-mode: navigate" -H "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1" -H "referer: https://kc6wpx0lo.duckdns.org/card" --compressed "https://kc6wpx0lo.duckdns.org/up"
画像アップは /upload にアップしているがどうやっても 502 Bad Gateway で返ってきていたので先に進めない。
プロキシを挟んでレスポンスを200に偽装しても先に進めないのは変わらなかったので、ここから先は進めない模様。確かに番号アップまでしてもらえればあとはどうでも良いということだろう。
今回はここまで。
この記事が気に入ったらサポートをしてみませんか?