Toronto-based registrar used by GhostNet-linked cyber crooks

Cyber criminals hosted a fraudulent banking Web site on a GhostNet server and set up the domain with the unwitting help of a Toronto-based registrar, says a computer forensics expert.

Gary Warner is a professor of computer forensics with the University of Alabama at Birmingham. Upon arriving in Toronto to speak at the IT360 conference on Wednesday, he was glued to the news of a report released Tuesday by the University of Toronto’s Citizen Lab.

Shadows in the Cloud reveals how a ring of cyber spies stole top secret Indian government documents using a botnet, as well as visa information form Canadian citizens.

Read related story

Cyber spies steal top secret govt. documents

Warner, who conducts similar computer security investigations at his lab, ran a cross-reference check of the server IP addresses revealed by Citizen Lab.

He got matches that show some of the servers were also being used for more typical phishing attempts to steal financial information. In particular, he discovered a server had been used to host a fraudulent Citibank Web site that had its DNS registered with Hover.com, a division of Toronto-based Tucows Inc.

“The WHOIS information for the Citibank phishing site that was on one of these IPs did have a connection to Hover.com,” Warner says in an interview with ITBusiness.ca. “The domain had been registered in such a way that it did include a Hover.com e-mail address, under the technical section.”

That e-mail address belonged to Ross Rader, general manager at Hover.com. This is just one case where a criminal slipped through the cracks of the third-largest domain registrar in the world, Rader says.

“We don’t know how these domain names are going to be used,” he says. “Certainly when these cases are brought to our attention, we have [scores] of people to react to that.”

The Citibank phishing Web site remained active for 45 days, according to Warner. WHOIS information on a list of other sites associated with the GhostNet servers were also linked to Hover.com. WHOIS — pronounced Who Is — is a query/response protocol widely used for querying databases to determine the registrant of Internet resources, such as a domain name, IP address block or an autonomous system number. (source Wikipedia).

“We clearly don’t mean that the Hover.com guys are criminals,” Warner says. “But there may be criminals using their services.”

Citizen Lab traced the hackers at the centre of its investigation back to Chengdu, Sichuan in China. While no technical link was made to the Chinese government, the documents stolen by the hackers are sensitive documents relating to India’s military, and correspondence exchanged with the Dalai Lama’s office.

But the cyber criminal activity detected by Warner’s lab is different. It is less targeted on government intelligence, and more focused on stealing financial information and credentials for the purposes of bank fraud.

“We have documented that many of these IP addresses are being used for financial crimes, which we believe are organized by Russian organized crime,” Warner says.

Many Chinese severs advertise “bulletproof hosting,” he adds.

For a premium cost, hackers can be assured these service providers will not take down their servers no matter what criminal activity is being conducted.

So it’s a good bet hackers of all sorts use these same servers.

“Even if you’re a spy, you’ve got to find a place to host your servers,” Warner says.

Tucows has a compliance group that actively investigates the abuse of its services by cyber crooks, Rader says. Once the decision has been made to remove a phishing domain, it can be done with the push of a button. The firm works with anti-fraud partners to examine each transaction conducted on its system and is able to stop 99 per cent of malicious attempts at registration. But the registrar receives thousands of requests a day.

“It’s kind of like spam, eventually someone will find their way around the rules,” he says.

Credit card companies are to blame for not offering secure cards, Rader adds. Cyber criminals are motivated to steal credit card numbers because they can be easily used for fraudulent purposes. If companies like Visa and MasterCard could secure their services, there would be far less incentive to conduct phishing attacks, he says.

Tucows is interested in working with Warner to find out more about the specific phishing cases he has discovered.

Follow Brian Jackson on Twitter.

Share on LinkedIn Share with Google+
More Articles