188.8.131.52 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.108.40.206/26 suballocated to:
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 220.127.116.11/26 range now..
Sites that are flagged as malware by Google are highlighted and these are all hosted on 18.104.22.168. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].
Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.
So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".
However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 22.214.171.124/26 to be on the safe side.
* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.
Monday, 7 September 2015
Thursday, 9 October 2014
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.