Wednesday, September 02, 2009

Bell Canada phish - still about the Cards

As I was reviewing new spam categories from yesterday's mail to the UAB Spam Data Mine, I noticed a new phishing campaign against Bell Canada. It is important that consumers, who have been trained to believe that "phishing emails pretend to be banks" understand that ANY sort of company can send you a phishing email.

Apparently someone really wanted us to visit this phishing site, since we received more than 200 copies of the spam message. The site, which was still live this morning, more than 24 hours after the campaign had begun, looks like this:

I know what you're thinking. Why would anyone go to the trouble to steal the userid and password to my home telephone service? Perhaps the second page of questions will help answer that question:

After the phisher gets your Visa or Mastercard number, complete with Expiry date and Security Code, then we try for the Identity Theft Trifecta: Mother's Maiden Name, Date of Birth, and Social Insurance Number (the Canadian version of our Social Security Number). Of course they get a complete home address with home phone and employer just for good measure.

Phishing builds trust, by imitating a trusting relationship, and then asks more personal details. As consumers become more aware of "bank phishing", we will likely see more "non-bank phishing", hoping that the cautious behavior learned by banking customers doesn't generalize to the relationship with their phone company.

Truthfully, this was the second time that we have seen a Bell Canada phish, but the professionalism of this site is a huge improvement over the phish of July 28th. In the July 28th email, we were addressed as "Dear costumer" with a website that pointed to "®ion=ON.htm". That previous email came from "" while the current email comes from "". There were quite a few similarities however.

The target domain advertised in the new phishing campaign is:

which was registered on August 30th with that most untrustworthy registrar, China Springboard. The computer on which this domain resides is, in Australia. According to DomainTools, that same computer is also the host of:

DomainTools says that has also been recently associated with the IP address, which has also served as the host of:

The domain is the big news though! It has been mostly associated with a recent paypal phish using the host name Once that little piece of evidence slips in, we now see that this is actually a Fast Flux hosting botnet that specializes in phishing. Knowing that the may be a Fast Flux address, we switch modes to check for that, and come up with a HUGE list of computers - more than 120 computers, all of which have acted as the "webserver" for this phishing campaign.

Running quickly through the 128 IP addresses looking for additional hosts, we find a few big nameserver groups that tie the Bell Canada phishing campaign to other phishing campaigns hosted on the same Fast Flux network. Very significantly, however, this is NOT the same Fast Flux network currently being used to abuse Bank of America and KeyBank.

Some nameserver groups on this network: used by: used by: used by: (such as

Other than the correction of the mis-spelled "Costumer" to "Customer", both emails have the same wording:

This e-mail was sent by Bell Canada to notify you that we have temporarily prevented access to your account.

We have reasons to believe that your account may have been accessed by someone else.

Please verify your details by following the link below :

© Bell Canada
( Please do not reply to this e-mail , this account is not monitored. Follow the instructions in the e-mail )

We only received one copy of the first email, sent from a single computer in Peoria, Illinois attached to the OmniLec network:

The new email came from botnet computers all over the world, including computers in Argentina, Belgium, Brazil, Chile, Germany, Hong Kong, India, Israel, Italy, Portugal, Russia, Singapore, Spain, Taiwan, Uruguay, Vietnam, as well as US based networks large and small.

The spamming program seems to be doing "false received lines" in the mail. So for instance, a computer in Spain has mail header lines that seem quite troubling at face value. "" or ""? On further review these "trusted" mail senders have been falsely injected into the mail headers.

Received: from home ( [])
by [Gary's Server] (8.11.6/8.11.0) with ESMTP id n81JLV015681;
Tue, 1 Sep 2009 19:21:33 GMT
Received: from by; Tue, 1 Sep 2009 13:21:45 -0600
Date: Tue, 1 Sep 2009 13:21:45 -0600
From: Bell
X-Mailer: The Bat! (v2.00.2) Business
X-Priority: 3 (Normal)
Message-ID: <236508618.53500285241073@home>
To: [Gary's spam trap]
Subject: Bell Online Notification
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit

Some computers associated with hosting this campaign:

Here is a sample of the Paypal version of this phishing campaign . . . the samples received on 02SEP09 actually give the red-letter due date of September 4, 2009.

And this is what the destination website looks like:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.