Tuesday, October 28, 2008

Tip to Phishers: First Build Site, THEN Spam

As a transplant to the South, I was not at first familiar with the expression "Bless his little heart". Its often used to express amusement at something silly a young child or animal may do, because they don't know any better. When used with regards to adults, it replaces Yankee expressions because Southerners are generally too polite to say someone is too stupid to live. I've lived in the South for more than twenty years now, so when I saw the phishing campaign that started up around 1:20 this morning, all I could say about the Phisher was "awwww....bless his little heart!"

Here's what the spam emails look like:









When I say we started getting spam from this campaign, I mean SEVERAL messages every minute. The spammer had registered himself some nice domain names using the Chinese Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

1securebanking.com
connect-secure.com
ibanking-net.com
ibanking-secure.com
securebanking-net.com
secureconnect-us.com
secure-ebank.com
secure-ebanking.com
secure-ibank.com
secure-ibanking.com
secure-netbanker.com
securesolutions-net.com
us-bankconnect.com
us-securebanking.com



He had chosen some innocent American's identities to use when he did his domain name registrations, so they would seem "American", I guess . . .

He was Darleen Murray from Buffalo, NY
and Ray Brooks from Swanquarter, NY
and David Minor from New York, NY
and Eric Mattson from Sherman Oaks, CA
and Joshua Zadow from Mitchell, SD
and Thomas Brooks from Atlanta, GA
and Alice Hatch from Murray, UT
and Leonard Johnson from Socaldwell, OK
and Stephanie Jordan from Seattle, WA
and Ruth Sims from Morro Bay, CA
and Sam McNeal from Baltimore, MD
and Barbara White from Bangor, ME
and Robert Russwurm from Kingston, NY
and Megan Alfonso from Lake Wales, FL

He even used their real phone numbers and email addresses for the contact information on the registrations!

Each of these folks curiously decided to use the same Technical ID on their registrations -- gTec Limited in Moscow, Russia.

Seven of the domains were registered on October 13th, and seven more on October 23rd, but none were used for spamming before this morning.

Early this morning, Our Pathetic Phisher launched his spam campaign, using machines from all around the world to send his spam. We received messages sent from Japan and Germany, from Korea and Lithuania, from Canada and Kansas City, from Russia and Bulgaria, from the Ukraine and from Turkey.

But there is nothing on ANY of the websites! Even as we sit here watching the spam continue to flow in, we can't get ANY of the websites to show content!

Was it a bad path in the spam? (Regardless of brand they all used the same path.)

Was it quick action by those staunch anti-phishing crusaders in China? (The IP addresses are all the same . . . 123.134.66.8 . . . which is hosted on CNCGroup in Shangdong China.

Or it possible, that the Phisher is just that stupid. That he forgot to put the content on his webservers before he began to send his spam. I'm inclined to believe this is the situation here.

Say it with me . . .

"Bless his little heart..."



Here are the URLs that we saw . . . many times each:

http://associatedbank.1securebanking.com/251005/account-update/
http://associatedbank.1-securebanking.com/251005/account-update/
http://associatedbank.connect-usbanks.com/251005/account-update/
http://associatedbank.ibanking-net.com/251005/account-update/
http://associatedbank.ibanking-secure.com/251005/account-update/
http://associatedbank.securebanking-net.com/251005/account-update/
http://associatedbank.secureconnect-us.com/251005/account-update/
http://associatedbank.secure-ebank.com/251005/account-update/
http://associatedbank.secure-ebanking.com/251005/account-update/
http://associatedbank.secure-ibank.com/251005/account-update/
http://associatedbank.secure-ibanking.com/251005/account-update/
http://associatedbank.secure-netbanker.com/251005/account-update/
http://associatedbank.us-bankconnect.com/251005/account-update/
http://associatedbank.us-securebanking.com/251005/account-update/
http://commercebank.1securebanking.com/251005/account-update/
http://commercebank.1-securebanking.com/251005/account-update/
http://commercebank.connect-secure.com/251005/account-update/
http://commercebank.ibanking-net.com/251005/account-update/
http://commercebank.ibanking-secure.com/251005/account-update/
http://commercebank.securebanking-net.com/251005/account-update/
http://commercebank.secureconnect-us.com/251005/account-update/
http://commercebank.secure-ebanking.com/251005/account-update/
http://commercebank.secure-ibank.com/251005/account-update/
http://commercebank.secure-ibanking.com/251005/account-update/
http://commercebank.secure-netbanker.com/251005/account-update/
http://commercebank.securesolutions-net.com/251005/account-update/
http://commercebank.us-bankconnect.com/251005/account-update/
http://commercebank.us-securebanking.com/251005/account-update/
http://bank.countrywide.1-securebanking.com/251005/account-update/
http://bank.countrywide.connect-secure.com/251005/account-update/
http://bank.countrywide.connect-usbanks.com/251005/account-update/
http://bank.countrywide.ibanking-net.com/251005/account-update/
http://bank.countrywide.ibanking-secure.com/251005/account-update/
http://bank.countrywide.securebanking-net.com/251005/account-update/
http://bank.countrywide.secureconnect-us.com/251005/account-update/
http://bank.countrywide.secure-ebank.com/251005/account-update/
http://bank.countrywide.secure-ebanking.com/251005/account-update/
http://bank.countrywide.secure-ibank.com/251005/account-update/
http://bank.countrywide.secure-ibanking.com/251005/account-update/
http://bank.countrywide.secure-netbanker.com/251005/account-update/
http://bank.countrywide.securesolutions-net.com/251005/account-update/
http://bank.countrywide.us-bankconnect.com/251005/account-update/
http://bank.countrywide.us-securebanking.com/251005/account-update/
http://countrywide.1securebanking.com/251005/account-update/
http://countrywide.connect-secure.com/251005/account-update/
http://countrywide.ibanking-net.com/251005/account-update/
http://countrywide.ibanking-secure.com/251005/account-update/
http://countrywide.securebanking-net.com/251005/account-update/
http://countrywide.secureconnect-us.com/251005/account-update/
http://countrywide.secure-ebanking.com/251005/account-update/
http://countrywide.secure-ibank.com/251005/account-update/
http://countrywide.secure-ibanking.com/251005/account-update/
http://countrywide.secure-netbanker.com/251005/account-update/
http://countrywide.securesolutions-net.com/251005/account-update/
http://wachovia.1securebanking.com/251005/account-update/
http://wachovia.1-securebanking.com/251005/account-update/
http://wachovia.connect-secure.com/251005/account-update/
http://wachovia.ibanking-net.com/251005/account-update/
http://wachovia.ibanking-secure.com/251005/account-update/
http://wachovia.securebanking-net.com/251005/account-update/
http://wachovia.secureconnect-us.com/251005/account-update/
http://wachovia.secure-ebank.com/251005/account-update/
http://wachovia.secure-ebanking.com/251005/account-update/
http://wachovia.secure-ibank.com/251005/account-update/
http://wachovia.secure-ibanking.com/251005/account-update/
http://wachovia.secure-netbanker.com/251005/account-update/
http://wachovia.securesolutions-net.com/251005/account-update/
http://wachovia.us-bankconnect.com/251005/account-update/
http://wachovia.us-securebanking.com/251005/account-update/

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.