Ask HN: Advice needed – Was my ISP hacked or am I being paranoid?

[g-adamante]

I was hit with a phishing attempt twice today.

Once using my Safari on my iPhone and once using Firefox on Elementary OS.

These are relatively secure, and I’m careful when browsing. It seemed very weird that I had a malware on both of them.

The scam is directed towards users of a very popular ISP.

Things got strange when I try to submit the url to phishtank.com - the website is blocked. I tried to access it over WiFi and 4G connections in my girlfriend’s phone and mine (all using the same provider), with no luck.

So I try to use my VPN. Phishtank works normally.

I know it sounds paranoid - but I’m starting to think that the ISP could have been hacked.

I’m here to ask for advice: what do I do?

I have no idea of how to proceed, and how to track the origin of the problem.

[ciguy]

This sounds like your router has been hacked and your default DNS set to malicious servers. I've had this happen a few times in Thailand where the default ISP routers had a vulnerability. The hacked router would set the DNS to servers controlled by the attacker, and then selectively route specific website such as banking to very good clones. Try manually setting your DNS to 8.8.8.8 and 1.1.1.1 and see what happens.

[RunawayGalaxy]

OP said that the problem was happening over 4G.

[elitistphoenix]

"all using the same provider" - could be the isp's dns server that was hacked.

[curiousgal]

Quite recently I came across a router where the DNS server was set to a Coinhive server.

[LinuxBender]

Do a DNS lookup of sites you trust on your ISP and on your VPN and using public resolvers. Look up who owns those IP's using web based whois sites over your VPN. That should give you more information to make an informed decision.

[g-adamante]

I tried to look phishtank.com DNS records.

I get the same results using a public resolver and my VPN.

When I try using the ISP directly, I get that:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;phishtank.com. IN SOA

;; ADDITIONAL SECTION: manual.zone. 86400 IN SOA manual.zone. manual.zone. ( 6325 ; serial 60 ; refresh (1 minute) 60 ; retry (1 minute) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; minimum (1 day) )

When I use the VPN, I get that:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15895 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;phishtank.com. IN SOA

;; ANSWER SECTION: phishtank.com. 881 IN SOA ns-128.awsdns-16.com. awsdns-hostmaster.amazon.com. ( 1 ; serial 7200 ; refresh (2 hours) 900 ; retry (15 minutes) 1209600 ; expire (2 weeks) 86400 ; minimum (1 day) )

;; AUTHORITY SECTION: phishtank.com. 172781 IN NS ns-1249.awsdns-28.org. phishtank.com. 172781 IN NS ns-128.awsdns-16.com. phishtank.com. 172781 IN NS ns-1994.awsdns-57.co.uk. phishtank.com. 172781 IN NS ns-694.awsdns-22.net.

What is going on with that manual.zone?

[LinuxBender]

What is /etc/resolv.conf pointing to? and what is running on that host?

[amaccuish]

If you couldn't get to phishtank.com on 4G then it's probably not your ISP being "hacked", unless of course your landline and mobile ISPs are the same.

[kowdermeister]

He said that right after in the brackets that it's the same provider :)

[amaccuish]

I don't know how I missed that, sorry man!

[curiousgal]

Check you routers' DNS configuration

[cypherg]

How are we supposed to diagnose this without any details at all? "I was hit with a phishing attempt twice today."

Via email? Via social media? you've got to explain yourself better.

What was the context of the phish? Where are the raw emails?