Massive phishing sites with .ci Domain attacked Japan

A large number of phishing sites targeting Japan were created in the .ci domain (ccTLD of Cote d’Ivoire). This attack lasted about a month, from about mid-May to June 14. I have identified approximately 10,000 malicious FQDNs.

With the help of nic.ci and ARTCI, the Registry in Cote d’Ivoire(a.k.a. Ivory Coast), all these malicious domains were shut down. This article describes how it happened.

What was happening

• A large number of phishing sites, approximately 10,000 malicious FQDNs, were created with the .ci domain (ccTLD of Cote d’Ivoire)
• The phishing sites targeted Japan and could not be accessable from outside Japan
• With the cooperation of the .ci domain Registry, all related domains were takedown on June 14, 2022.

The Phishing site appearance

Three types of phishing sites were created: a Japanese credit card (generic type), a Japanese credit card company called イオンカード(AEON Card), and “au” provided by the mobile carrier company KDDI.

a Japanese credit card (generic type)

イオンカード(AEON Card)

au, KDDI

Phishing Domains’ characteristics

The following three malicious domains were the platform of the attack.

• md[.]ci
• presse[.]ci
• asso[.]ci

Listing all the FQDNs was impossible because there were just too many. When a security researcher of my acquaintance and I gathered up each other’s lists, we found approximately 10,000 FQDNs.

At first, I thought that the DNS was set up with wildcards and that I would just see a lot of FQDNs. However, this thought was wrong. If I change the FQDN by even one character, a DNS server did not respond with an A record.

Due to this massive outbreak of phishing FQDNs, the .ci domain quickly rose to the top 4 used by phishing sites worldwide.

via phishstats.info

How the phishing sites work

The phishing site was subjected to typical detection avoidance by IP address. A 404 error was displayed when someone accessed the phishing site from an IP address outside Japan (e.g., the US). This makes it difficult to check phishing sites.

accessed from outside Japan

This technique, called cloaking, is typical behaviour among phishing sites targeting Japan.

In many cases, phishing sites targeting Japan are created outside of Japan. Even if we Japanese send an Abuse Report, the operator can’t access the phishing site (because they access from an IP address not in Japan). The process of checking phishing sites becomes more difficult, which often delays a response.

Therefore, it is necessary for us to report the conditions such as “the site can only be accessed from a Japanese IP address” or “the Accept-Language header of the web browser must be set to ja-JP”.

The trouble with this type of cloaking is that researchers outside of Japan can’t observe what is happening.

Some researchers outside of Japan were aware that a large number of FQDNs were created with .ci domain, but it seems that those who correctly understood what was happening were rare.

Takedown!

For a typical phishing site, we send an Abuse Report to the Registrar of the malicious domain and we ask them to take action. Specifically, ask them to change the Domain Status to clientHold.

For more information on Domain Status, please refer to the ICANN document.
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Some attackers who create phishing sites use a technique called Domain Generation Algorithm (DGA) to create a large number of malicious domains. In this case, we have to send a lot of abuse reports to Registrars for every domain, which is a nuisance to deal with.

However, this attack involved creating a large number of subdomains for only three domains. Therefore, we thought it would be easy to respond.…… at first. But we soon found out that this was a very difficult path.

Registrar / AFRIREGISTER

All three malicious domains were registered with the same Registrar, AFRIREGISTER. However, it is inappropriate to send an abuse report to this AFRIREGISTER first of all.

The Registrant of this domain name was a Chinese company, 海南信汇科技有限公司(Hainan Mail Transfer Technology Co., Ltd.). When the Registrant is not an individual but a company, the Abuse Report should be reported to this company at first.

For example, let’s say that Blogger(blogspot), which is run by Google, is being abused to create phishing sites. Blogger’s domain, blogspot.com, is registered with MarkMonitor.

Is it correct to report to MarkMonitor and ask them to takedown the blogspot.com domain? No. If you do that, all blogspot users’ blogs will disappear.

In this case, the correct report is to contact the Google’s support of Blogger and ask Google to take action.

Therefore, if the Registrant is a company, the first thing to do is to report an abuse report to the Registrant company, as we believe that the services provided by the company are being abused.

We reported to Hainan Mail Transfer Technology but unfortunately received no response. Also, it is difficult to ask the Registrar, AFRIREGISTER, to have the domain suspended. (Remember the Blogger example.)

Thus, it was considered difficult to change Domain Status to clientHold.

But still takedown

If you get nothing from the Registrar, you may takedown the domain by sending an Abuse Report to the Registry for that domain. Before we begin, let me explain the difference between a domain registrar and a domain registry, which many people confuse.

domain Registrar and a domain Registry

Registrars are companies that sell domains. For example, Google Domains, NameSilo, Namecheap. And many hosting companies such as GoDaddy combine their Registrar business.

A Registry, on the other hand, is the organization that maintains all registration information for the domains under its jurisdiction. A Registrar’s sale of a domain to a customer is an entry into the registry database. Registry for country code top-level domains (ccTLDs) are often operated by organizations that are public in nature. For example, the Registry for Taiwan’s .tw domain is a foundation called TWNIC. The Registry for the Germany .de domain is DENIC, a Registered cooperative.

Because Registrars and Registries have different privileges, when a malicious domain is takedown, its domain status will differ as follows:

• Registrar has suspended the domain: clientHold
• Registry has suspended the domain: serverHold

Therefore we aimed to make the serverHold by Abuse Report to nic.ci, the Registry for the .ci domain.

Thanks to: nic.ci and ARTCI

We first contacted nic.ci in English but then remembered that French is the official language in Côte d’Ivoire, so we contacted them in French. nic.ci understood the situation and thankfully worked with ARTCI (Ivory Coast — Telecommunications Regulatory Authority) in Côte d’Ivoire.

As a result, the following three domains, where a large number of phishing sites were created, all had Domain Status as serverHold.

• md[.]ci
• presse[.]ci
• asso[.]ci

Thus, the massive storm of phishing FQDNs that appeared in the Internet space disappeared. This was visualized in a cool video by a security researcher of my acquaintance, micham.

Domain WHOIS

Let’s back up a bit and take a closer look at the WHOIS of the domain.

We looked up the Registrant, Hainan Mail Transfer Technology (海南信汇科技有限公司), on the Chinese company search service 天眼查.
https://www.tianyancha.com/company/3419380738

The company’s official website was nearly empty, and it was unclear from the website what services it offered.

However, the company’s registration shows the business of domain management. It appears that the company’s domain management operations were abused to create a large number of phishing sites.

Acknowledgments

• micham, thanks for cool visialization
• kubotaa3, thanks for great Abuse Reports
• harugasumi, thanks for useful FQDN lists
• bunnymaid, thanks for cute comments
• ANeilan, thanks for informative advices
• xiatianguo, thanks for researching a Chinese company
• KesaGataMe0, thanks for daily URL feeds

And I really appreciate the great help of nic.ci and ARTCI in Côte d’Ivoire.

Appendix — IoCs

Since it was a very large attack, I have not been able to cover everything.

OTX AlienVault

• https://otx.alienvault.com/pulse/629e0c6f9b3c8b4a192a29cc
• https://otx.alienvault.com/pulse/629e177800a89665ff1b735c
• https://otx.alienvault.com/pulse/629f5fc15c5f4a507e16b401
• https://otx.alienvault.com/pulse/62a0c15c7ff1d6e853b2f30b
• https://otx.alienvault.com/pulse/62a206f9c55ddeb27092ea73
• https://otx.alienvault.com/pulse/62a38a221654638e30d300ee
• https://otx.alienvault.com/pulse/62a4400ee3c9c8916d25df6e
• https://otx.alienvault.com/pulse/62a4a213e953982ef472daa9
• https://otx.alienvault.com/pulse/62a5539b000230f69c657da1
• https://otx.alienvault.com/pulse/62a578f58e25e6b7ca6a0f04

Domains

• md[.]ci
• presse[.]ci
• asso[.]ci

IP address

107.175.212[.]115

107.175.212[.]118

159.223.33[.]125

164.92.100[.]236

164.92.108[.]6

178.128.119[.]242

192.3.239[.]29

192.3.239[.]5

198.12.89[.]215

23.95.122[.]86