Mitigate use of `sslip.io` in phishing scams (e.g. <http://raiffeisen.94.228.116.140.sslip.io>)

[cunnie]

From the Hetzner complaint:

Dear Brian Cunnie,

We have received information regarding spam and/or abuse from alert@takedownreporting.com.
Please take all necessary measures to avoid this in the future.

We also request that you send a statement within 24 hours to us and to the person who filed the complaint. This response should contain information about how this could have happened and what you intend to do about it.

How to proceed:
- Solve the issue
- Send us a statement by using the following link: https://abuse.hetzner.com/statements/?token=842c78f151dccb9106384e2b6ec945c
- Send a response by email to the person who filed the complaint

The statement will be checked by a staff member who will then coordinate any further proceedings. If you fail to comply within the stated deadline, the IP may be blocked.

Important note:
When replying to us, please leave the abuse ID [AbuseID:9C1714:19] unchanged in the subject line.

Kind regards

Janina Wetzel

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
abuse@hetzner.com
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis
> Domain Takedown
>
> Formular-Daten
> ===============================================
> Name: James Christopher
> E-Mail: alert@takedownreporting.com
> Sprache: de
> Datenweitergabe: NICHT bewilligt
> ===============================================
>
> Abuse-Daten
> ===============================================
> Quelle: 78.46.204.247
> Kategorie: Phishing
>
> Beschreibung:
> ------------------------------------
> http://raiffeisen.94.228.116.140.sslip.io
>
> We are the authorized agents representing Raiffeisen Bank International and they have brought the above-mentioned site to our attention, which we believe to be hosted on your platform. Our client did not register this domain and they did not authorize its registrations. We request this domain be unregistered and removed.

They later suggested a list of European Trademarks: https://euipo.europa.eu/eSearch/#advanced/trademarks/1/100/n1=MarkFeature&v1=Word&o1=AND&sf=ApplicationNumber&so=asc

[robo9k]

If the only problematic part is raiffeisen, then remove that feature? I doubt they can claim any trademark in the sslip.io domain itself. Phising and such is of course still possible with other subdomains of sslip.io and similar DNS services, just without a reassuring freetext domain label to fool users.

In any case I find it curious that they are contacting your hosting provider to take down a domain instead of the domain registrar. You could switch to someone that .. cares less about those abuse notifications.

The safest way to prevent phising is to only respond with internal IPs, but this is rightfully blocked by some DNS resolvers to prevent rebinding attacks and would make your service much less useful overall. I doubt that a simple denylist such as the european trademark list will solve this problem. There's enough variations to bypass such a filter yet still fool users, e.g. a simple xn--aiffeisen-kge.94.228.116.140.sslip.io might be enough.

Have you tried contacting other "Related Services" that you mention on your own site to collaborate on fighting abuse of such a DNS service?

[cunnie]

Hi @robo9k , you've managed to cut to the heart of many of the issues with this problem.

In any case I find it curious that they are contacting your hosting provider to take down a domain instead of the domain registrar. You could switch to someone that .. cares less about those abuse notifications.

Hetzner is only that—the hosting provider for the website, which isn't terribly important. The important parts are the 3 DNS servers, which are hosted on AWS, Azure, and GCP.

The safest way to prevent phising is to only respond with internal IPs, but this is rightfully blocked by some DNS resolvers to prevent rebinding attacks and would make your service much less useful overall.

I spoke with the author of nip.io about this very topic. His approach was to whitelist the internal IPs, but then do a form of IP-blacklisting (not name blacklisting). I think I'll do something similar—whitelist internal IPs, and blacklist certain domain names (e.g. goldman-sachs....sslip.io)

e.g. a simple xn--aiffeisen-kge.94.228.116.140.sslip.io might be enough.

Exactly! A simple lookup table of bank names will be easily outwitted by the technique you describe, so a blacklist of domain names won't be as helpful as I'd hoped.

Have you tried contacting other "Related Services" that you mention on your own site to collaborate on fighting abuse of such a DNS service?

Let's Encrypt said they don't publish their list of "forbidden" certificates, but nip.io said they'd be willing to share their list of blacklisted IPs as long as I keep it private.

[cunnie]

Another abuse email:

---

Hello Brian,

We are contacting you from the Namecheap Legal and Abuse Team regarding your “cunnie” Namecheap account.

It has come to our attention that phishing content is displayed on your website at the link:

hxxps:// nf-43-134-66-67 [.] sslip [.] io/sg

As a reminder, phishing is expressly prohibited by our Universal Terms of Service Agreement, paragraph 7. "Acceptable Use Policy (AUP)" at https://www.namecheap.com/legal/universal/universal-tos.aspx

We need you to act promptly in removing the reported content within the next 48 hours. While we always try to avoid having to interrupt our customers' services, if we receive no response from you or no action is taken within the mentioned time frame, unfortunately, we will be forced to suspend the domain until the matter is resolved.

Thank you, and we are looking forward to your reply.

================[ Please find the additional information below / attached. ]================

---

Regards, Daniil Z. Legal & Abuse Department Namecheap, Inc.

Ticket Details Ticket ID: LMZ-252-54783 Department: Abuse Cases Type: Domains L&A Status: In progress Priority: High

Helpdesk: https://support.namecheap.com/index.php?

[cunnie]

Closing. We now maintain a blocklist of strings & CIDRs.

[stokito]

To help unexpirienced users to understand that the link is fraud then an additional subdomain 'fake' may be required e.g.

fake.bank.1.1.1.1.sslip.com

Or the sslip.com renamed to badsite.com. Not sure how efficient this counter measure will be if anyway most people will ignore it.

But this is just very simple and unsofisticated phishing so not that many of it and just bloclist should be enough

[intexiran]

Hello, I am in Iran and I wanted to buy Intex inflatable products. A store called Intex Iran operates in this country with the domain www.intexiran.com.

Do you confirm that he is your representative in this country?

In addition, this company has been officially registered in Iran, do you think it is valid?