PTR Record: ts.fanellitrucking.com
Activity Detected: Mule/Identity Theft
A recent mule/identity theft email received from 126.96.36.199 on American Computer Associates' ASN27621 includes some interesting characteristics.
The resource has ports 80,443, and 3389 exposed while HTML from http://188.8.131.52 reveals the elements of what appears to be a webcam implemented by Bosch Security Systems:
While the HTTPS URL points to the login page for a Fortinet security device, an automated query of the HTTP transaction shows the presence of a RedKit malware infection on the webserver, specifically in the form of GET requests to http://253.1.168.192/wait.html, a resource that falls within the 240.0.0.0/4 Bogon IP range:
Given that the IP range is considered non-routable in the Windows and Linux IP stacks, it is highly likely that the remote source from which content used on the infected web server is being pulled is actually spoofed. Such a feat could be accomplished by simply randomly choosing an IP from within from the 240.0.0.0/4 subnet or using the IP nomenclature as constructed in the 253.1.168.192.in-addr.arpa PTR designation for an internal host having an IP address of 192.168.1.253. The only other reasonably logical conclusion is that 253.1.168.192 is actually being used as a darknet honeypot to capture malicious traffic.