We all are familiar with email phishing but attackers are increasingly using other forms of communications since email servers are increasingly getting sophisticated to block phishing. Attackers can reach you via phone based SMS(text message) or social messaging platforms (Facebook, WhatsApp, etc.). The bad news is, you can’t track these attackers due to lack of specifications and standards.
Today, I received a text message- USPS notification, your package is ready for collection! This is holiday season and lot of people are expecting packages in the mail and the chances of mail order is much higher due to COVID-19. Be careful before you click the link as you might fall victim of cyber theft, you might be giving your credentials to the attacker.
Like you, I was curious to see who the heck is hp06j dot com? Of course, you wouldn’t click this bait because USPS has nothing to do with hp06j! Who owns the hp06j dot com?
As you can see the original domain ownership is hidden and they used WhoisGuard Inc to hind behind the curtain! That’s a red flag. Registered by offshore company based in Panama! Another red flag.
Okay, it’s not easy for attackers to hide if they truly want to harvest data. Thanks to FirEye Mandiant for the lessons that I learned during my time at Sabre. I was curious to see where their server is hosted? Another way to trace the owner. We may not be successful but we can try! We are going to use free online tool, Qualys SSL Lab, to identify the servers behind the application domain.
Qualys can’t find a server that uses TLS certificate but that’s okay since we found the ip address which is what we are looking for. Let’s see who owns this ip address?
IP address is owned by Alibaba, a public cloud provider. Unfortunately, the buck stops here! We don’t know who is the real culprit owns (rents) the public ip in cloud provider. None of the cloud providers make those information available to public. Often those public ip’s are shared among customers. This is a problem for investigators and law enforcement agencies. Law enforcement agencies can request information from cloud providers with legal warrant but they may not have jurisdiction over the providers.
This is a problem with internet. I would call upon the regulators around the globe to mandate cloud providers that public ip ownership information be available online.