Fraudulent Site, Please Shut Down

Well the title says it all doesn’t it. Today at work i was checking my mail and noticed and email from RSA security with the subject line Fraudulent site, please shut down! [ING-NL 287] DOMAIN: lenss.nl.

  • RSA, an anti-fraud and security company, is under contract to assist ING
  • Netherlands in
  • preventing or terminating online activity that targets, or may
  • potentially target ING
  • Netherlands clients as potential fraud victims.
  • RSA has been made aware that a domain name, which abuses ING Netherlands
  • trademark, has been registered with you. This domain
  • http://lenss.nl/bank/ not only violates ING Netherlands copyright,
  • trademarks and other intellectual property rights, but may also become a
  • host to a phishing attack, or other fraudulent scams against the bank
  • and the bank’s clients.

A few minutes after this email an other email came in from openprovider. These guys manage my domains. The notified me the domain was no moved to their DNS servers and was there for blocked.

Wij ontvingen onderstaande klacht over een van uw domeinen, lenss.nl. Vanwege de ernst heb ik per direct het domein gedeactiveerd door het op lege nameservers te zetten.

Ik verzoek u deze case met gepaste urgentie te behandelen en de aanklager daarvan op de hoogte te stellen.

When i was reading the email from RSA i was pretty shocked. But when reading the email from Openprovider i just got pissed. Why on earth would they disable my domain without doing any research in the matter. They should have contacted me before they took action. So i contacted the guys at RSA and explained the situation. They advised me to send them an email with the explanation. And so i did. They responded quite fast with the following message:

  • Thank you for your co-operation in this matter.
  • The AFCC can confirm that the site in question had no malicious content,
  • while it did seem suspicious because of its content, it being freely
  • accessible and its vague purpose.
  • The current solution and explanation suggested below by the website
  • owner is satisfying and will likely prevent such confusions in the
  • future. Therefore the AFCC has no objection whatsoever to bringing the
  • site in question back up.

So the problem is solved i assumed. But an hour later my domain went offline. And i couldn’t get to my mailbox anymore. The domain was still running on the Openprovider DNS servers. So let’s give them a call i thought. But i guess today is just not my day. Their website was offline. And i couldn’t find any contact information. So i sat back and waited a bit. Didn’t really know what to do. After some time their site came back online. And i was able to find a phone number.

After explaining my story i got the comment please send us an email. But this was not possible anymore since my DNS was changed. So after some pursuance i was put through with the person who emailed me in the first place. The reason they took it offline was because the complaint came from RSA. Which seems to be an authority on this subject. I explained the situation. And told them i was not very happy with the way the handled the situation. After blowing off some steam we agreed the DNS could be changed back again. Which they did!

While checking my log files i noticed the insane long scan on this web server…

  • 82.81.26.105 - - [14/May/2009:04:16:12 -0400] “GET /bank/Scrisoare.txt HTTP/1.1” 301 314 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:16:13 -0400] “GET /bank/scan2.txt HTTP/1.1” 301 310 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:16:13 -0400] “GET /bank/aScprivate.txt HTTP/1.1” 301 315 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:16:14 -0400] “GET /bank/a.tgz HTTP/1.1” 301 306 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:16:14 -0400] “GET /bank/forums.zip HTTP/1.1” 301 311 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

that just went on and on for several minutes. Which was done by some Israeli company?

  • 82.81.26.105 - - [14/May/2009:04:21:44 -0400] “POST /bank/dom57.php HTTP/1.1” 301 310 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:21:45 -0400] “POST /bank/bl.php HTTP/1.1” 301 307 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
  • 82.81.26.105 - - [14/May/2009:04:21:45 -0400] “POST /bank/people.php HTTP/1.1” 301 311 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

And a visit from the guys in Redmond.

  • 131.107.0.114 - - [14/May/2009:04:20:59 -0400] “GET /bank HTTP/1.1” 301 300 “-“ “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)”
  • 131.107.0.114 - - [14/May/2009:04:20:59 -0400] “GET /bank/ HTTP/1.1” 200 142 “-“ “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)”

My DSL provider..

  • 82.93.147.119 - - [14/May/2009:04:25:23 -0400] “GET /bank HTTP/1.0” 301 300 “-“ “Wget/1.11.4”
  • 82.93.147.119 - - [14/May/2009:04:25:23 -0400] “GET /bank/ HTTP/1.0” 200 142 “-“ “Wget/1.11.4”

My co-locator..

  • 208.69.120.120 - - [14/May/2009:06:29:24 -0400] “GET /favicon.ico HTTP/1.1” 301 307 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)”
  • 208.69.120.120 - - [14/May/2009:06:29:24 -0400] “GET /favicon.ico/ HTTP/1.1” 404 20584 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)”

And probably some more. It’s amazing how fast things go.

So why did this all happen? Some time ago a friend pointed out that she could not go to the ING bank website from here work. So to help here out a bit. I created a small proxy script that made it possible for her to login to the bank website. This script was under /bank. I admit i should have password protected this page. But i didn’t see any evil in it. So i left it open. The only thing it did was proxy the requests through my server. Right now i just removed the whole script. And will keep it like that!

The situation i got in today was not very pleasent. But i have to say i am happy with the work RSA Security does. And i am happy RSA and Openprovider assisted me in resolving this case. Thanks guys. But next time please do some more research!

comments powered by Disqus