AMAZIN: Amazon’s Fake Domain— A Detailed Analysis on How Look-Alike Domains hosts Offensive Services

How often do you spot a phishing website with similarly spelt domain? Not very often right. That’s why we need to discuss here about Dark Web and Deep Web. The chances of finding a relatively similar domain of any legit website is high.

Usually a prominent website would purchase similar or look-alike domains and redirects the traffic to their legitimate website.

Image Courtesy: DeviantArts

For say, paypaal.com and paypall.com would get redirected to paypal.com. Since many of the netizens would not be aware about the accurate spellings of these websites, hence these look-alike domains are being purchased as a first line of defense against phishing attempts by corporates.

While purchasing look-alike domains, often the TLDs are being missed. By running a permutation of the targeted word (often website name), it would enlist all the possible combinations of the word, which helps the organization to proceed with the purchase of those domain names with possibly the same TLD i.e. “com”.

As wide range of fancy TLDs such as “.game”, “.tv”, “.shop” are being added to each Domain Registrars targeting various industries such as Gaming, Streaming or Shopping, it is difficult for an organization to purchase large number of domain names with varied TLDs.

Here comes the loophole for an attacker to purchase a domain and mimic the exact contents including the logo which ultimately gets modeled into a phishing campaign.

Here, we are going to uncover how a similarly-spelt domain is being used to carry out offensive services.

When Amazon becomes Amazin, we are going to shed light on an underground marketplace.

Today, I spotted a DarkWeb Marketplace named “Amazin” with the onion URL:- http://n5j6qx3gsiiywbnm.onion

Login Panel for Amazin DarkWeb Marketplace

Another interesting fact is that the same service is available on the surface web :- to be precise on Deep Web, if you know the exact URL.

AMAZIN.BIZ

Amazin is the underground market place to purchase compromised Financial Cards and Dumps, Hacked Accounts like Amazon Accounts with RDP Access, Bank Logins such as Chase Logins with Routing Information.

Though Google had done a pretty good job by not listing the malicious domain on the top result.

But this won’t work if the customer/client gets redirected from the direct look-alike link.

Underground Market which sells Credit Cards, Financial Dumps

Even if a person who lands on this page out of blue, s(he) might not have given a thought to purchase a stolen card, but this would definitely provoke atleast a small number of people to try out the service, as the site claims to have an ESCROW System,which is safe for a purchase.

(In Financial Terms, Escrow is the system which prevents the vendor from accessing the complete payment made by the customer. Once the customer pays, the payment is moved to a 3rd party — Escrow Account and would not be available to the vendor until the customer receives the ordered product. By this way, vendor cannot run away with customer’s payment)

Let’s go for a walk-through to the market place…

The site offers 4 sections namely:-

ACCOUNTS

This list Amazon Logins with pay balances along with RDP & Mail Accesses, Verified Balances on PayPal (Canada & UK Accounts) and Chase Login with Accounts and Routing Info with min. balances $1000 and $5000 for cheaper prices such as $30 to $70.

DUMPS+PINs

This section contains the Dumps from USA, Australia, Europe and Asia. For those who are new to Dumps concept, it is the internal track information (TR1 and TR2) of Credit and Debit Cards, which are primarily used for physical cloning of the cards. Delivery time for these cards are 24 hours for every continents, which raises the concern that the group is omnipresent in each continent and a part of larger group.

E-CODES

This section covers the Gift Cards for Amazon, Google Play and iTunes of larger balances for cheaper prices.

MONEY TRANSFERS

This encompasses Wire Transfers of various banks, PayPal Transfers, Payoneer Transfers and Western Union Transfers.

It is also notable that the site only accepts payment in Bitcoin.

Now, lets dig deep into the Security Measures used by the Marketplace to bolster the security.

>While registering, all the user’s passwords are encrypted using SHA2 256 using the cryptographic JS package named CryptoJS.
>User’s IP address is encrypted using SHA2, not to divulge the same even if the site gets compromised and dumped.
>The site is equipped with CloudFlare service, in order to protect their internal IP address (of course to defend any possible DDoS attack).

On a shallow search, it is found that the site also supports IPv6 and Onion Domains. The site was running on a Citrix Netscalar and Apache as per the 2019 hosting records.

SSL RECORDS

By inspecting the site, it is found that there are 2 SSL Certificates used by the website, i.e.

>SSL Bydefault
>CloudFlare SSL

Following is the Server Certificate:-

Common name: sni.cloudflaressl.com
SANs: sni.cloudflaressl.com, amazin.biz, *.amazin.biz
Organization: Cloudflare, Inc.
Location: San Francisco, CA, US
Valid from February 13, 2020 to October 9, 2020
Serial Number: 0247e236ad7c9a5eb05b43b83f1f0e0d
Signature Algorithm: ecdsa-with-SHA256
Issuer: CloudFlare Inc ECC CA-2

Following is the Chain Certificate:-

Common name: CloudFlare Inc ECC CA-2
Organization: CloudFlare, Inc.
Location: San Francisco, CA, US
Valid from October 14, 2015 to October 9, 2020
Serial Number: 0ff3e61639aa3d1a1265f41f8b34e5b6
Signature Algorithm: sha256WithRSAEncryption
Issuer: Baltimore CyberTrust Root

But still, we haven't got the exact location where the site was hosted, because CloudFlare is often a dead-end for many. But this time, I had gone a little more further to uncover the hosting provider.

After a long searching, I just fed the website to Shodan Network and BOOM!

Identity Disclosed

Sometimes we know the platforms but it we may forget where to look for, especially when your day is long!

The identity disclosed here because as the internet is a continuous monitor and when more assets are associated with a website, there is no reason for them to go unnoticed, at least here.

Here, we refer assets to the services hosted by the site such as Email (ESMTP Mailboxes), POP3, SSL, DNS etc.

From the above image, it is evident that the server uses PLESK as the control panel which also is a commercial web hosting platform.

By checking the hosting history of the same domain, it is found that the domain was hosted on various networks on different timelines:-

208.91.197.46: Confluence Networks Inc
91.195.240.68: SEDO GmbH
93.191.169.210: Akamai Technologies, Inc.

SUMMARY

Real IP: 23.106.125.10
Registered On: 2020–01–05
Registrar: NameCheap
Name Servers: megan.ns.cloudflare.com, sonny.ns.cloudflare.com
Hosting Provider: Leaseweb Asia
Operating System: Ubuntu
Running on: Apache/Citrix Netscalar
Location: Singapore
Onion URL: http://n5j6qx3gsiiywbnm.onion
Surface URL: amazin.biz

KEY-INTAKES

>Anyone can takeover an unused domain and use it for hosting offensive services, which ultimately maligns the brand reputation.
>Actors are now more concentrating on beefing up the security by implementing various security measures.
>There are many trust gain factors like Escrow, SSL implemented by actors to keep their business running round the clock.

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)