Hello, welcome to the Wednesday, May 26, 2021 edition of the Sansonet Storms owners.

Stormcast, my name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today's diary actually was made possible by a reader Earl who discovered some interesting domains within an IP address block, 95-181-152-12

that is hosted by MSK hosting, a hosting company out of St. Petersburg.

Now, Earl's observation is actually interesting from a couple of perspective.

First of all, I didn't even realize that Hurricane Electric has a nice sort of passive reverse

DNS lookup tool. You can enter an IP address or a network, like in this case, and it will

return a list of host names that point or used to point

to these particular IP addresses. Usually, Hurricane Electric is more known for its nice

free IP6 tunnel service and sort of BGP information that they usually provide, and this is, I guess,

something they recently added to their BGP toolkit.

So all noted that a number of domains that point to this particular IP address range are impersonating

well-known brands, like, for example, Instagram. One of the domains, for example,

Instagram-TemSupport.com.

Or Instagram account verification page.com,

which just shouts out the phishing page.

But, of course, these are the kind of host names

and domains that are being used for phishing Instagram users.

Now, Hurricane Electric's BGP pages also make it easy then to figure out what other networks

are hosted by MSK hosting and they're all in the same AS.

Actually, it's just six different slash 24s that are being hosted in this particular

ASN. And it only has one upstream provider, and that's Stormwall, which is an anti-DDoS provider.

...