Enumerating a Domain – The case of Meep997
World 2 GE brought us another piece of bait today, and with that another clue to the puzzle. As I keep stating, we are conducting this project in small pieces. Today, we will be collecting a lot of information on the phishing domain in question, and take a sneak peak at the behavior.
Who is Meep997?
Logged into the game today, and hung out over at the GE for a few minutes when something caught my eye.
It was either too early for Youtube to show the name in the results, or it had already been blocked. So I googled the name, and sure enough, the YouTube video popped up. Caught it 43 minutes in. Perfect, maybe we can grab some information.
Caught in the Act
Great, we open the video and have the generic
“Enter here,https://bit[.]ly/3HWElTZ follow the steps and pm me in game”
So of course we visit the url shorter, and are redirected to:
Obviously, the next course of action here is to take the bait. We make a fake forum post, click post and get to the login page. I prepped an account, knew where it was in game, turned on the VPN, submitted the details and waited. You may be wondering why the VPN, well these phishing sites grab your IP, and DDOS you while they gather the goods. That way you can’t stop them.
I wanted to go back and analyze what happens, so I filmed the entire event. This will go into a grand report of this whole project that will be published later.
So back to the domain. The domain in question in this case, is: https://secure[.]oldschool.com-ws32902756326586163[.]ru, well this is actually a sub domain of com-ws32902756326586163[.]ru. Lets see what we can find out with this information.
By preforming a “whois” search, we see the following information:
- nserver: bob.ns.cloudflare.com.
- nserver: marjory.ns.cloudflare.com.
Creation date: 2021-09-20T00:56:16Z
If you visit the IP, or the base domain, you will be greeted by a default “plesk” hosting control panel. This could be handy information later. This IP address was also reported for Runescape phishing prior on 27 April, 2021, a little over a year ago. By searching the IP address on IPInfo.io, https://ipinfo.io/22.214.171.124, we can also see an abuse contact at firstname.lastname@example.org. We can use this along with the links posted in Report a Phishing Website.
A Pattern Emerges
https://ipinfo.io/126.96.36.199 also reveals 4 other Runescape phishing websites associated and hosted on the same IP address, com-ws5032094878952423[.]ru, com-ws32902756326586163[.]ru, com-ws933849202918284938[.]ru, and com-ws9800750678024095[.]ru. All of these domains share the same nameservers. It’s obvious these domains are being generated by some automated system.
I think that’s enough for now. This information, and then some will go into a report that will be uploaded later to the forums or a database.