Share with your network!
While the details of the Carefirst data breach are still non clear, it's been suggested that the trail leads back to China, and that it may be Chinese government sponsored hackers gathering data on US citizens. The trail may well lead back to China, but perhaps the motives of the hackers may not be as sinister as that. There is a possible connection back to Chinese distributers of fake designer goods.
Let's follow the breadcrumbs. Security blogger Brian Krebs wrote:
Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).Krebs suggests that these fake domains may have been used in a phishing attack against Carefirst employees which gave the initial access for the data exfiltration. I can't find any whois data for caref1rst[dot]com, but as of 4/11/2014, the whois data for careflst[dot]com was
Domain Name: CAREFLRST.COM Registry Domain ID: 1854271692_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2014-04-11 02:54:49 Creation Date: 2014-04-11 02:45:11 Registrar Registration Expiration Date: 2015-04-11 02:45:11 Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.480-624-2505 Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Domain Status: clientRenewProhibited Domain Status: clientDeleteProhibited Registry Registrant ID: Registrant Name: li ning Registrant Organization: Registrant Street: guangdongsheng Registrant City: guangzhoushi Registrant State/Province: Alabama Registrant Postal Code: 54152 Registrant Country: United States Registrant Phone: +1.4805428751 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: li2384826402@yahoo.com ...So our registrant was in the well known metropolis of Guangzhoushi, Alabama, which apparently the registrar was OK with. While the address is obviously false, it's harder to fake the email address, as most registrars will confirm this. As it turns out, we've seen over a hundred other domains registered by li2384826402@yahoo.com used in spam email messages. Here are a few of the more blatant examples:
- cheapcoachonlinee[dot]com
- coachbagonlinee[dot]com
- fakeugg[dot]com
- guccijponlineshop[dot]com
- louisvuittonxmasgifts[dot]com
- ray-banshopcheap[dot]com
- swarovskishopjapan[dot]com
- victoriasecretshopjp[dot]com