Phishing scams and the Mystery of Africa (AFRINIC)
Phishing scams are common Cybercrime all over the world. I live in Japan now and receive many Japanese Phishing emails every day.
As a Security Researcher, I investigated Phishing Sites targeting Japan and found odd IP addresses. When we observe the Phishing Actor’s infrastructure, we can know Cybercriminal’s backstage.
In this article, I will show such an odd IPs and introduce the mystery of Africa (AFRINIC).
Phishing Sites Infrastructure
To create a Phishing Site, Actors need two factors: Domain and IP address(Server).
Domain Registrar
Phishing Actors targeting Japan tend to use Chinese Domain Registrar. They often use 西部数码, 域趣网络, 新网, and so on.
As for other countries, cheap Registrar(eNOM, NameSilo, GoDaddy) is often used.
IP address (Server)
The actors use many Hosting companies. Most of them are proper, but some IP addresses belong to strange Network.
Characteristic actors use these strange IP addresses. These IP addresses are located in China or Hong Kong but allocated by AFRINIC.
AFRINIC and IP addresses
AFRINIC (African Network Information Centre) is the regional Internet registry for Africa and manages and allocates IP addresses in Africa.
The Phishing Actors targeting Japan often use AFRINIC’s IP addresses, though these IPs are located in China🇨🇳 or Hong Kong🇭🇰. Here is an example.
This Phishing Site, hxxp://au-jje[.]com/, has 154.202.14[.]62(Scanning log) and was created on April 28th, 2020.
This IP address is allocated by AFRINIC, assigned by “Cloud Innovation” in Seychelles🇸🇨 and US🇺🇸.
Where is the Server?
Now let’s run traceroute command to investigate the location of the Phishing Server.
traceroute says this IP is located in China🇨🇳. Really strange. Normally, Chinese use IP addresses allocated by APNIC (Asia-Pacific Network Information Centre) or CNNIC (中国互聯網絡信息中心). Why do Phishing Actors use AFRINIC’s IP address in China?
Of course, sometimes such a case occurs. ARIN(American Registry for Internet Numbers) allocates IP address to Amazon AWS. So when I create a Website with AWS in Tokyo Region, I use an ARIN’s IP address in Japan.
But this AFRINIC case is strange. Phishing Actors have no reason to use an AFRINIC’s IP address.
IP Address Heist from AFRINIC
According to the article “The Great $50M African IP Address Heist” of [Krebs on Security], some parts of AFRINIC’s IP addresses were stolen. Those IP addresses often exploited by spammers and scammers alike.
I suppose this IP address is the same case. Some stolen IP addresses were sold to Phishing Actors, and they use them for Phishing Sites. Japanese are suffering from such a murky history.
Acknowledgment
- bunny evans @bunnymaid
- A piece of shadow @io_sono_io_IT
- KesagataMe @KesaGataMe0
