Fast-Fluxing Bank Phishing On The Rise
If your like everyone else, you not immune to the phishing tactics of the scammers or spammers that send you daily junk that tots messages about your banking services being updated. We have decided to take one such phishing email apart and show you just how crafty these criminals really are. We start off by receiving the spam message in our inbox like the one below.
Received: from 68.171.36.5 by node4.ns2.spacequad.com (Spacequad AntiSpam
Services - When reporting spam, please include this header and send reports
to abuse@spacequad.com <mailto:abuse@spacequad.com>.); Fri, 25 Sep 2009 19:22:55 -0400
Received: (qmail 6785 invoked from network); 25 Sep 2009 18:49:57 -0400
Received: from 129.red-80-59-138.staticip.rima-tde.net (HELO protorba-serv)
(80.59.138.129)
by christianfellowshipchicago.com with SMTP; 25 Sep 2009 18:49:56 -0400
Message-ID: <D9C1B1CD8C0D48B9B460E4ACB1B64167@protorba-serv
<mailto:D9C1B1CD8C0D48B9B460E4ACB1B64167@protorba-serv>>
Reply-To: "Alliance & Liecester" <
security.online@alliance-leicester.co.uk <mailto:security.online@alliance-leicester.co.uk>>
From: "Alliance & Liecester" <
security.online@alliance-leicester.co.uk <mailto:security.online@alliance-leicester.co.uk>>
To: <mbrush@voyager.net <mailto:mbrush@voyager.net>>,
<mbrush@waukee.k12.ia.us <mailto:mbrush@waukee.k12.ia.us>>,
<mbrushwork@blueyonder.co.uk <mailto:mbrushwork@blueyonder.co.uk>>,
<mbrushwork@btinternet.com <mailto:mbrushwork@btinternet.com>>,
<mbrushwork@hotmail.co.uk <mailto:mbrushwork@hotmail.co.uk>>,
<mbrushwork@inspiringcalm.com <mailto:mbrushwork@inspiringcalm.com>>,
<mbrush@wyoming.com <mailto:mbrush@wyoming.com>>,
<mbrusic@msn.com <mailto:mbrusic@msn.com>>,
<mbrusie@msn.com <mailto:mbrusie@msn.com>>,
<mbrusilow@worldnet.att.net <mailto:mbrusilow@worldnet.att.net>>,
<mbrusin@fazer.ru <mailto:mbrusin@fazer.ru>>,
<m_brusinsky@fdp.ru <mailto:m_brusinsky@fdp.ru>>,
<m_brusinsky@yahoo.co.uk <mailto:m_brusinsky@yahoo.co.uk>>,
<mbrusin@yahoo.co.uk <mailto:mbrusin@yahoo.co.uk>>,
<mbrusio@msn.com <mailto:mbrusio@msn.com>>,
<mbr@usis.com <mailto:mbr@usis.com>>,
<mbrusis@msn.com <mailto:mbrusis@msn.com>>,
<mbrusi@yahoo.co.uk <mailto:mbrusi@yahoo.co.uk>>,
<mbruska@yahoo.co.uk <mailto:mbruska@yahoo.co.uk>>,
<mbruske@isle.k12.mn.us <mailto:mbruske@isle.k12.mn.us>>,
<mbruski@hotmail.co.uk <mailto:mbruski@hotmail.co.uk>>,
<mbruskin@hotmail.com <mailto:mbruskin@hotmail.com>>,
<mbruski@ukonline.co.uk <mailto:mbruski@ukonline.co.uk>>,
<mbruski@yahoo.co.uk <mailto:mbruski@yahoo.co.uk>>,
<mbrusko@gateway.net <mailto:mbrusko@gateway.net>>,
<mbrusk@pwrtc.com <mailto:mbrusk@pwrtc.com>>,
<mbrusman@hotmail.com <mailto:mbrusman@hotmail.com>>,
<mbrusman@workingresources.com <mailto:mbrusman@workingresources.com>>,
<mbrus@msn.com <mailto:mbrus@msn.com>>
Subject: Your account information Security upgrade
Date: Sat, 26 Sep 2009 00:44:48 +0200
Organization: Alliance & Liecester
MIME-Version: 1.0
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <security.online@alliance-leicester.co.uk
<mailto:security.online@alliance-leicester.co.uk>>
X-SF-HELO-Domain: ps17.myhostcenter.com
X-SF-Originating-IP: 68.171.36.5
X-Rejection-Reason: 26 - SFDC filter match
|
This is the actual email that was received with one editduring posting. Link no longer active! After receiving this spam mail in our spam bucket, we decided to investigate and take out as many sites that were hosting them.
The page that came up in the browser looked like this:
We first looked at the domain of gr7zi1u63k.com and look at the domain registrant of:
The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Paycenter does not guarantee its accuracy. By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that,
under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
Domain Name : gr7zi1u63k.com
PunnyCode : gr7zi1u63k.com
Registrant:
Organization : Pan Wei wei
Name : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Administrative Contact:
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com
Technical Contact:
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com
Billing Contact:
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com
If you notice right away, its registered through PayCenter located in China. They are known for hosting criminal domains. Whether they are condoning it or not, we don't know. All we do know is that every notice we've sent to them in the past has gone unanswered. Now to the name of the person who registered the domain, this is a name we've seen used over and over on thousands of other criminal domain names. Usually the address changes slightly, but have seen address's all over the world that are fake being attached to this name.
If you look further into the domain and look at the DNSing and hosting of the domain, you'll see that if using Fast-Flux hosting on both the DNS and website. Full listing of most of the hosted IP are below. We've done a lookup several times, about every two minutes to see what IPs we'd get, and discovered the following list:
151.201.22.120
173.172.243.20
173.19.26.252
188.36.132.161
190.183.76.95
200.226.150.70
202.131.190.199
202.181.203.146
204.118.0.2
207.13.63.96
208.96.88.89
209.51.85.202
216.104.109.9
217.166.213.26
24.141.107.228
24.237.88.208
24.239.153.188
24.30.179.243
58.169.246.205
60.51.48.10
64.150.231.161
66.231.135.49
67.77.32.172
68.112.20.128
68.54.221.250
69.149.255.223
69.249.22.165
71.227.140.32
71.58.185.212
76.11.238.161
76.26.26.141
81.56.67.245
83.185.94.175
83.80.130.188
84.105.106.220
85.24.163.179
88.176.171.91
89.142.64.95
94.212.11.215
99.189.77.122
99.19.253.137
99.236.138.199
99.36.43.208
So what we did to verify that these machines that were being used as hosts, we replaced the www in www.mybank.alliance-leicester.gr7zi1u63k.com/index.assp=mybankn>login_access/index.php with the IP listed above. Guess what? Same page came up but on a different machine. Makes one wonder why a hacker would go through this much trouble to hack these machines and put up their own version of a banking scheme page. didn't take long to discover why, they were in the process of phishing. Hoping that some person would fall for this and enter their credentials and think they were logging into their real account.
Thanks in part to us, this particular phishing trip was cut short as we notified most of the ISPs that were affected, to have these machines cut off from the internet or the content removed.
Comments are always welcomed, please login.
What's Related