
Ask HN: Advice needed – Was my ISP hacked or am I being paranoid? - g-adamante
I was hit with a phishing attempt twice today.<p>Once using my Safari on my iPhone and once using Firefox on Elementary OS.<p>These are relatively secure, and I’m careful when browsing. It seemed very weird that I had a malware on both of them.<p>The scam is directed towards users of a very popular ISP.<p>Things got strange when I try to submit the url to phishtank.com - the website is blocked. I tried to access it over WiFi and 4G connections in my girlfriend’s phone and mine (all using the same provider), with no luck.<p>So I try to use my VPN. Phishtank works normally.<p>I know it sounds paranoid - but I’m starting to think that the ISP could have been hacked.<p>I’m here to ask for advice: what do I do?<p>I have no idea of how to proceed, and how to track the origin of the problem.
======
ciguy
This sounds like your router has been hacked and your default DNS set to
malicious servers. I've had this happen a few times in Thailand where the
default ISP routers had a vulnerability. The hacked router would set the DNS
to servers controlled by the attacker, and then selectively route specific
website such as banking to very good clones. Try manually setting your DNS to
8.8.8.8 and 1.1.1.1 and see what happens.

~~~
RunawayGalaxy
OP said that the problem was happening over 4G.

~~~
elitistphoenix
"all using the same provider" \- could be the isp's dns server that was
hacked.

------
LinuxBender
Do a DNS lookup of sites you trust on your ISP and on your VPN and using
public resolvers. Look up who owns those IP's using web based whois sites over
your VPN. That should give you more information to make an informed decision.

~~~
g-adamante
I tried to look phishtank.com DNS records.

I get the same results using a public resolver and my VPN.

When I try using the ISP directly, I get that:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<\- opcode: QUERY, status: NXDOMAIN,
id: 49124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION
SECTION: ;phishtank.com. IN SOA

;; ADDITIONAL SECTION: manual.zone. 86400 IN SOA manual.zone. manual.zone. (
6325 ; serial 60 ; refresh (1 minute) 60 ; retry (1 minute) 3600000 ; expire
(5 weeks 6 days 16 hours) 86400 ; minimum (1 day) )

When I use the VPN, I get that:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<\- opcode: QUERY, status: NOERROR,
id: 15895 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION
SECTION: ;phishtank.com. IN SOA

;; ANSWER SECTION: phishtank.com. 881 IN SOA ns-128.awsdns-16.com. awsdns-
hostmaster.amazon.com. ( 1 ; serial 7200 ; refresh (2 hours) 900 ; retry (15
minutes) 1209600 ; expire (2 weeks) 86400 ; minimum (1 day) )

;; AUTHORITY SECTION: phishtank.com. 172781 IN NS ns-1249.awsdns-28.org.
phishtank.com. 172781 IN NS ns-128.awsdns-16.com. phishtank.com. 172781 IN NS
ns-1994.awsdns-57.co.uk. phishtank.com. 172781 IN NS ns-694.awsdns-22.net.

What is going on with that manual.zone?

~~~
LinuxBender
What is /etc/resolv.conf pointing to? and what is running on that host?

------
amaccuish
If you couldn't get to phishtank.com on 4G then it's probably not your ISP
being "hacked", unless of course your landline and mobile ISPs are the same.

~~~
kowdermeister
He said that right after in the brackets that it's the same provider :)

~~~
amaccuish
I don't know how I missed that, sorry man!

------
curiousgal
Check you routers' DNS configuration

------
cypherg
How are we supposed to diagnose this without any details at all? "I was hit
with a phishing attempt twice today."

Via email? Via social media? you've got to explain yourself better.

What was the context of the phish? Where are the raw emails?

