Quick & Dirty: Finding the domain behind a scam E-Mail and shut it down

spam-964521_960_720

Standalone tools used: TracerouteNG / FOCA / Maltego / Nmap
Online tools used: IP Tracker & Blockchain

We all know the annoying scam E-Mails which flood our mailboxes. In recent months a new scam mail popped up claiming to have filmed the victim masturbating while watching porn and that if no money is sent to a certain bitcoin wallet the video will be released.

Though the E-Mail has all the red flags in it to show that it is indeed a scam E-Mail (bad wording, no proof/facts of the video, not addressed by name of the victim) people have payed the money to various bitcoin wallets in the past.

After again receiving such an E-Mail I saw something different this time: It was not a “throw away” E-Mail address but an E-Mail address tied to an actual existing webpage/domain name called davidstephensusc.com (mail.davidstephensusc.com with an AX record also exists). So this caught my attention and I did a quick research to find out where the page is hosted and whether I can gather any additional information and check if there is a possibility to shut down the domain for good.


First a proper look into the mail header showed the IP address linked with the domain:

email
A quick whois lookup showed that the domain was originally registered at tucows.com in Canada. Tucows told me that they could not help with taking down the domain as they are only providing the registry of the domain but offer no further hosting or services for the domain holder:

whois
With the help of TracerouteNG (a “pimped up” version of the built in Tracert command for Powershell) it was clear that the last hop before the domain itself was the probable domain/webpage hoster – and based in Moscow/Russia:

Unbenannt

mx_lookup.PNG
I also checked the domain with the tool FOCA (Fingerprinting Organizations with Collected Archives) but – as the domain itself did not host a proper webpage in itself – did not get any results back. Also Nmap was not helpful as the domain seems to be hosted on a proper server provider and not on its own C&C (Command and Control) server so there were no ways to get “deeper” into the hostile system. And finally, I also used Maltego to be 100% certain that the domain was indeed hosted in Moscow/Russia and that I did not overlook any details like connections to other domains, IP addresses or C&C servers:

maltego_spam
So after being certain that the hoster was masterhost.ru I contacted them and they, luckily, quickly took down the webpage and added it to the spamcop.net list. A quick look up afterwards on the bitcoin wallet from the original mail showed that nobody has paid thus far – thus the case was now closed:

bitcoin_transaction
The quintessence of this “quick and dirty” research is that you often can only go “so far” to attribute a certain domain to abusive usage like sending out scam mails – but that in the end with the collaboration of the webhoster or server provider you can shut down such spam attacks quite easily. In this case I was lucky as, though the provider sits in Russia, they took the necessary steps to take down the website in minutes. It is of course a very different issue if the hostile entity you research uses its own C&C server – but that is for future blogposts to inform about.

Addendum: It would have been better to get the real person`s name behind the spam mails. But companies like Tucows requires a subpoena to acquire the real name of the person behind the domain – if during the registration process a real name was used at all. In the end this is only a small “victory” in the endless flood of spam/scam mails.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s