Ask HN: Advice needed – Was my ISP hacked or am I being paranoid?
I was hit with a phishing attempt twice today.
Once using my Safari on my iPhone and once using Firefox on Elementary OS.
These are relatively secure, and I’m careful when browsing. It seemed very weird that I had a malware on both of them.
The scam is directed towards users of a very popular ISP.
Things got strange when I try to submit the url to phishtank.com - the website is blocked. I tried to access it over WiFi and 4G connections in my girlfriend’s phone and mine (all using the same provider), with no luck.
So I try to use my VPN. Phishtank works normally.
I know it sounds paranoid - but I’m starting to think that the ISP could have been hacked.
I’m here to ask for advice: what do I do?
I have no idea of how to proceed, and how to track the origin of the problem.
12 comments
[ 2.9 ms ] story [ 35.7 ms ] threadI get the same results using a public resolver and my VPN.
When I try using the ISP directly, I get that:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;phishtank.com. IN SOA
;; ADDITIONAL SECTION: manual.zone. 86400 IN SOA manual.zone. manual.zone. ( 6325 ; serial 60 ; refresh (1 minute) 60 ; retry (1 minute) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; minimum (1 day) )
When I use the VPN, I get that:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +multiline phishtank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15895 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;phishtank.com. IN SOA
;; ANSWER SECTION: phishtank.com. 881 IN SOA ns-128.awsdns-16.com. awsdns-hostmaster.amazon.com. ( 1 ; serial 7200 ; refresh (2 hours) 900 ; retry (15 minutes) 1209600 ; expire (2 weeks) 86400 ; minimum (1 day) )
;; AUTHORITY SECTION: phishtank.com. 172781 IN NS ns-1249.awsdns-28.org. phishtank.com. 172781 IN NS ns-128.awsdns-16.com. phishtank.com. 172781 IN NS ns-1994.awsdns-57.co.uk. phishtank.com. 172781 IN NS ns-694.awsdns-22.net.
What is going on with that manual.zone?
Via email? Via social media? you've got to explain yourself better.
What was the context of the phish? Where are the raw emails?