Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an American based host making outbound requests like this you should investigate surrounding traffic and determine if this matches the user’s typical browsing behavior.
Jino[.]ru appears to be a Russian web hosting provider and I know from previous investigations that Yandex[.]ru is a Russian owned Internet company that operates the largest search engine in Russia. Okay, not exactly a smoking gun. The two requests that stood out to me were:
And another reference to “wildblue”:
Why the weird sub-domain on myjino[.]ru? A quick Google search for “Wild Blue” shows it to be offering a legitimate Satellite Internet service called Exede. WildBlue’s site is http://www.wildblue.com:
I then wanted to find out if the company was also the registrant for WildBlue[.]net. It turns out that WildBlue[.]net was registered and operated by WildBlue Communications, which was acquired by ViaSat in 2009.
Going directly to login.wildblue[.]net shows this is the legitimate email inbox login portal for Exede customers:
And here is the HTML code confirming that WildBlue[.]net is on the up-and-up!
For comparison here is what wildblue-net-upd.myjino[.]ru looks likes:
To the unsuspecting user this site would appear to be completely identical. Well, it isn’t. For starters the login page isn’t using HTTPS. Here is a more detailed look at what’s going on:
The code shows the use of a Data URI scheme employing the optional base64 extension. The Data URI scheme allows you to embed text and binary data directly into the HTML without requesting it from servers using separate HTTP requests. In our case, the Data URI scheme is being used to embed a PNG. For example, looking at the following CSS code:
The “data:image/png;base64” tells the browser that the data is inline, is a PNG image and is base64 encoded. As you can see, the PNG is being used as the entire background image.
Here is the Data URI plugged directly into the browser:
Furthermore, we can see that the form action contains “db.php”, the method is “post”, and the type is “submit”. Here is what the POST request looks like:
My email address (Phishing) and password (Site) can be seen in the POST request above. We can now see that wildblue-net-upd.myjino[.]ru is a phishing site. Users are herded to these phishing sites through phishing email campaigns. Once the credentials are POSTed back to the threat actor’s server the page reloads to the legitimate login portal for the Exede email inbox. The user would then log in to their real account, totally unaware of what just occurred.
With access to a user’s inbox criminals could potentially find PII like phone numbers, credit card information, a physical address, and maybe even a SSN. Furthermore, they could also attempt to use the harvested credentials on popular banking and shopping sites as it’s common for people to reuse passwords on different accounts.
Here are some other sub-domains tied to myjino[.]ru that are likely phishing sites, as well as some Apple phishing sites hosted at that IP:
Above we see phishing sites for Bank of America, Wells Fargo, PayPal, TurboTax, Google, Verizon, and Apple to name a few. All of the sites listed above were registered from 02-09-16 to 02-27-16, with more likely to come.
I would recommend blocking 220.127.116.11. I might even go a step further and block the entire 18.104.22.168/16 network as there are more phishing sites being hosted throughout that block.
VT detection for myjino[.]ru:
Phishing history for myjino[.]ru: