Avatar

On August 15, 2013, Brian Krebs featured a screen shot of a fake Outlook webmail login page used by the Syrian Electronic Army in a phishing attack against the Washington Post. If you look carefully at the location bar, you will note that the domain used in the phishing attack is ‘webmail.washpost.site88.net’.

Washington Post Phishing Attack Page

The domain ‘site88.net’ is actually part of a suite of domains belonging to 000webhost.com. 000webhost.com bills itself as a provider of “top class free web hosting services.” Just like free services offered by changeip.com, 000webhost.com has also become a haven for miscreants.

000webhost domain site88.net

Looking through all the subdomains that are in use at 000webhost.com, we can find many suspicious looking domain names. The following subdomains have shown up since the beginning of September 2013 in passive DNS. Facebook, Yahoo’s Ymail, Google’s Gmail, Paypal, Twitter, and Microsoft Hotmail are all targets for abuse.

facebook.f9.site90.com
facebook17.nounou.site90.com
www.fcebook.site90.com
fecebook.site90.com
www.focobook.site90.com
facebuok.host56.com
facabook.webuda.com
facep00k.webuda.com
yahoo-com.mplcache.webuda.com
facebook.adim.comxa.com
facebook12.touati.comxa.com
ymailup.webege.com
facebook1.khald.comule.com
facbook.comule.com
faceb0ok.comule.com
faacebook.comule.com
paypal.intl.comeze.com
tr-facebook-profile101001.8253930.comze.com
facebook.com-x.comuf.com
facecook.hostzi.com
faicbook.hostzi.com
fceabook.hostzi.com
facebook13.mina42.comoj.com
facebook14.mina42.comoj.com
facebook2013.mina42.comoj.com
mail-ru.comoj.com
www.f4c3book.comoj.com
faceb00ok.facel00k.herobo.com
yahooaccountupdate.remax.uphero.com
face3ook.comyr.com
faceb00k.comyr.com
www.faccbook.vacau.com
facebook.emyemy.comlu.com
g-mail.comlu.com
h0tmail.comlu.com
fa33book.webatu.com
ficebook.webatu.com
ficebook.webatu.com
facebook10.games2.comuv.com
paypal1.comuv.com
facedook.comuv.com
facep00k.comuv.com
faeebook.comuv.com
facetook.freeiz.com
fakebook.freeiz.com
twitters.freeiz.com
fbook.site40.net
gmail2.site40.net
faceb0k.site40.net
www.faceb0k.site40.net
facebuuk.net63.net
ymail.web44.net
facebook33.zaher.web44.net
facebook999.sunjan.web44.net
www.faceb00k.net84.net
2014facebook.facebeuk.net84.net
facebook2014.facebeuk.net84.net
gmail.net16.net
facabook.net16.net
yahoo.32.net76.net
faceb00k.netne.net
fecebook.netne.net
face8ook.netii.net
facebcck.netau.net
fazebook.netau.net
yaahoo.hostei.com
youtub.net63.net

Cisco TRAC recommends that all organizations pay extra close attention to any traffic destined for free services such as this. There little chance that anything of value would be missed if these 000webhost domains were blocked wholesale by an enterprise.



Authors

Jaeson Schultz

Technical Leader

Cisco Talos Security Intelligence & Research