PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef.
Planetary Reef is most notable in how they host phishing sites. While traditional methods of distributing phishing attacks rely on compromised websites or increasingly, free domains, Planetary Reef is leasing their IP space from a large reseller. Using space, the group has created an array of seemingly legitimate hosting companies that they promote through social media.
Planetary Reef's infrastructure includes a large number of domains registered through a variety of well-known registrars. Each domain has a substantial assortment of subdomains that they use to point to different phishing sites hosted on their IP space. In order to quickly set up these phishing sites and effectively manage their inventory of domains, the group is utilizing dynamic DNS services.
There are various behaviors that indicate Planetary Reef is acting as a bulletproof hosting provider. These types of hosts allow customers considerable leniency in the types of illicit material they upload and distribute, and are favored among malicious actors. They have sold hosting services to another actor targeting large social media platforms. They also have connections to known groups offering phishing-for-hire services. Additionally, we have observed threats using Planetary Reef's infrastructure targeting various brands and properties in ways that suggest distinct actors pursuing their own ends.
The most prominent hosts run by Planetary Reef are Planet Hosting and CNF-HOST.
Planet Hosting (Planet Host Live)
- hxxps://planethostlive[.]com/
- hxxps://planet[.]my[.]id
- hxxps://s2planet[.]com/
- hxxps://planethost[.]asia (inactive)
CNF-HOST
- hxxps://cnfhosted[.]my[.]id/
Planet Host Live Website
CNF-HOST Website
Planetary Reef is using social media extensively to advertise their hosting services. Their most active presence is their private Facebook Group “Planet Hosting Indonesia Grup."
Planet Hosting Indonesia Grup
In addition, many of the administrators behind Planetary Reef identify themselves on the homepage of each hosting company and have publicly available Facebook profiles.
Planet Hosting Admins
Planet Hosting Admin Facebook Profile
Planetary Reef remains a threat as long as the group is able to use legitimate resources to deploy attacks and lease space to bad actors. PhishLabs is actively removing phishing sites associated with Planetary Reef. Despite its clear involvement in malicious activity, the group currently remains online due to lack of action by upstream providers. PhishLabs continues to work with industry partners to track Planetary Reef and disrupt their activities.
Additional Resources: