Wednesday, September 02, 2009

Bell Canada phish - still about the Cards

As I was reviewing new spam categories from yesterday's mail to the UAB Spam Data Mine, I noticed a new phishing campaign against Bell Canada. It is important that consumers, who have been trained to believe that "phishing emails pretend to be banks" understand that ANY sort of company can send you a phishing email.

Apparently someone really wanted us to visit this phishing site, since we received more than 200 copies of the spam message. The site, which was still live this morning, more than 24 hours after the campaign had begun, looks like this:



I know what you're thinking. Why would anyone go to the trouble to steal the userid and password to my home telephone service? Perhaps the second page of questions will help answer that question:



After the phisher gets your Visa or Mastercard number, complete with Expiry date and Security Code, then we try for the Identity Theft Trifecta: Mother's Maiden Name, Date of Birth, and Social Insurance Number (the Canadian version of our Social Security Number). Of course they get a complete home address with home phone and employer just for good measure.

Phishing builds trust, by imitating a trusting relationship, and then asks more personal details. As consumers become more aware of "bank phishing", we will likely see more "non-bank phishing", hoping that the cautious behavior learned by banking customers doesn't generalize to the relationship with their phone company.

Truthfully, this was the second time that we have seen a Bell Canada phish, but the professionalism of this site is a huge improvement over the phish of July 28th. In the July 28th email, we were addressed as "Dear costumer" with a website that pointed to "ns2.e-karnet.net/home/Home_L-Login.pagelanguage=en&region=ON.htm". That previous email came from "privacy@bell.ca" while the current email comes from "notification@bell-biling.ca". There were quite a few similarities however.

The target domain advertised in the new phishing campaign is:

upgrade-accounts.com

which was registered on August 30th with that most untrustworthy registrar, China Springboard. The computer on which this domain resides is 203.213.76.12, in Australia. According to DomainTools, that same computer is also the host of:

alliance-leicester056.com
alliance-leicester259.com
alliance-leicester304.com
alliance-leicester423.com
alliance-leicester603.com
alliance-leicester620.com
alliance-leicester628.com
alliance-leicester860.com
alliance-leicester907.com
my-pictures-downloads.com
and upgrade-accounts.com

DomainTools says that Upgrade-accounts.com has also been recently associated with the IP address 65.202.231.12, which has also served as the host of:

account-verifications.com
alliance-leicester076.com
alliance-leicester508.com
alliance-leicester528.com
alliance-leicester551.com

The account-verifications.com domain is the big news though! It has been mostly associated with a recent paypal phish using the host name paypal.account-verifications.com. Once that little piece of evidence slips in, we now see that this is actually a Fast Flux hosting botnet that specializes in phishing. Knowing that the bell.ca.upgrade-accounts.com may be a Fast Flux address, we switch modes to check for that, and come up with a HUGE list of computers - more than 120 computers, all of which have acted as the "webserver" for this phishing campaign.

Running quickly through the 128 IP addresses looking for additional hosts, we find a few big nameserver groups that tie the Bell Canada phishing campaign to other phishing campaigns hosted on the same Fast Flux network. Very significantly, however, this is NOT the same Fast Flux network currently being used to abuse Bank of America and KeyBank.

Some nameserver groups on this network:

ns3.the-breakfast-dreams.com used by:

alliance-leicester830.com
alliance-leicester860.com
alliance-leicester890.com
alliance-leicester551.com
alliance-leicester851.com
alliance-leicester312.com
alliance-leicester304.com
alliance-leicester174.com
alliance-leicester076.com
alliance-leicester727.com
alliance-leicester547.com
alliance-leicester508.com
alliance-leicester028.com
alliance-leicester528.com
alliance-leicester038.com
alliance-leicester068.com
alliance-leicester259.com

ns2.my-toshi-dns.com used by:

alliance-leicester620.com
alliance-leicester830.com
alliance-leicester850.com
alliance-leicester860.com
alliance-leicester890.com
alliance-leicester851.com
alliance-leicester312.com
alliance-leicester882.com
alliance-leicester603.com
alliance-leicester423.com
alliance-leicester963.com
alliance-leicester174.com
alliance-leicester065.com
alliance-leicester446.com
alliance-leicester056.com
alliance-leicester076.com
alliance-leicester547.com
alliance-leicester508.com
alliance-leicester718.com
alliance-leicester528.com
alliance-leicester628.com
alliance-leicester038.com
alliance-leicester259.com
verification-processing.com

ns2.the-tzone-strip.com used by:

my-pictures-downloads.com (such as doc_v1.my-pictures-downloads.com)

Other than the correction of the mis-spelled "Costumer" to "Customer", both emails have the same wording:




This e-mail was sent by Bell Canada to notify you that we have temporarily prevented access to your account.

We have reasons to believe that your account may have been accessed by someone else.

Please verify your details by following the link below :

http://www.bell.ca/account-activation?id=539933

© Bell Canada
( Please do not reply to this e-mail , this account is not monitored. Follow the instructions in the e-mail )





We only received one copy of the first email, sent from a single computer in Peoria, Illinois attached to the OmniLec network: 207.152.69.115

The new email came from botnet computers all over the world, including computers in Argentina, Belgium, Brazil, Chile, Germany, Hong Kong, India, Israel, Italy, Portugal, Russia, Singapore, Spain, Taiwan, Uruguay, Vietnam, as well as US based networks large and small.

The spamming program seems to be doing "false received lines" in the mail. So for instance, a computer in Spain has mail header lines that seem quite troubling at face value. "mail.royalbank-usa.com" or "mxe.jpmchase.com"? On further review these "trusted" mail senders have been falsely injected into the mail headers.


Received: from home (cm-85-152-241-195.telecable.es [85.152.241.195])
by [Gary's Server] (8.11.6/8.11.0) with ESMTP id n81JLV015681;
Tue, 1 Sep 2009 19:21:33 GMT
(envelope-from busybodiesoc8@home.com)
Received: from 85.152.241.195 by mxe.jpmchase.com; Tue, 1 Sep 2009 13:21:45 -0600
Date: Tue, 1 Sep 2009 13:21:45 -0600
From: Bell notification
X-Mailer: The Bat! (v2.00.2) Business
Reply-To: busybodiesoc8@home.com
X-Priority: 3 (Normal)
Message-ID: 236508618 .53500285241073
To: [Gary's spam trap]
Subject: Bell Online Notification
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit




Some computers associated with hosting this campaign:

bell.ca.upgrade-accounts.com 121.221.140.248
bell.ca.upgrade-accounts.com 121.221.214.232
bell.ca.upgrade-accounts.com 121.221.238.162
bell.ca.upgrade-accounts.com 124.13.162.53
bell.ca.upgrade-accounts.com 129.93.154.62
bell.ca.upgrade-accounts.com 129.93.176.255
bell.ca.upgrade-accounts.com 138.210.154.36
bell.ca.upgrade-accounts.com 149.84.93.20
bell.ca.upgrade-accounts.com 174.103.124.144
bell.ca.upgrade-accounts.com 200.87.22.27
bell.ca.upgrade-accounts.com 202.181.203.146
bell.ca.upgrade-accounts.com 202.77.97.227
bell.ca.upgrade-accounts.com 203.213.76.12
bell.ca.upgrade-accounts.com 204.118.0.2
bell.ca.upgrade-accounts.com 207.112.105.241
bell.ca.upgrade-accounts.com 207.255.141.194
bell.ca.upgrade-accounts.com 209.204.65.148
bell.ca.upgrade-accounts.com 209.204.65.155
bell.ca.upgrade-accounts.com 209.204.65.225
bell.ca.upgrade-accounts.com 209.204.73.181
bell.ca.upgrade-accounts.com 209.204.76.245
bell.ca.upgrade-accounts.com 212.183.199.25
bell.ca.upgrade-accounts.com 213.77.79.30
bell.ca.upgrade-accounts.com 213.94.231.25
bell.ca.upgrade-accounts.com 216.16.111.15
bell.ca.upgrade-accounts.com 216.209.249.145
bell.ca.upgrade-accounts.com 216.63.106.83
bell.ca.upgrade-accounts.com 217.166.213.26
bell.ca.upgrade-accounts.com 219.83.125.242
bell.ca.upgrade-accounts.com 220.253.17.133
bell.ca.upgrade-accounts.com 220.253.52.194
bell.ca.upgrade-accounts.com 220.253.7.121
bell.ca.upgrade-accounts.com 24.164.252.40
bell.ca.upgrade-accounts.com 24.176.238.10
bell.ca.upgrade-accounts.com 24.2.218.189
bell.ca.upgrade-accounts.com 24.224.130.181
bell.ca.upgrade-accounts.com 24.231.38.216
bell.ca.upgrade-accounts.com 24.24.222.220
bell.ca.upgrade-accounts.com 58.179.58.93
bell.ca.upgrade-accounts.com 60.51.55.131
bell.ca.upgrade-accounts.com 60.53.164.146
bell.ca.upgrade-accounts.com 60.53.50.130
bell.ca.upgrade-accounts.com 62.219.139.9
bell.ca.upgrade-accounts.com 64.150.244.50
bell.ca.upgrade-accounts.com 64.77.247.214
bell.ca.upgrade-accounts.com 65.202.231.12
bell.ca.upgrade-accounts.com 65.64.101.64
bell.ca.upgrade-accounts.com 65.75.110.66
bell.ca.upgrade-accounts.com 66.140.75.206
bell.ca.upgrade-accounts.com 66.169.38.6
bell.ca.upgrade-accounts.com 66.41.35.61
bell.ca.upgrade-accounts.com 66.56.48.61
bell.ca.upgrade-accounts.com 67.110.218.85
bell.ca.upgrade-accounts.com 67.176.38.186
bell.ca.upgrade-accounts.com 67.189.218.254
bell.ca.upgrade-accounts.com 67.244.94.2
bell.ca.upgrade-accounts.com 67.55.133.223
bell.ca.upgrade-accounts.com 67.77.32.172
bell.ca.upgrade-accounts.com 68.112.23.119
bell.ca.upgrade-accounts.com 68.127.17.153
bell.ca.upgrade-accounts.com 68.89.235.44
bell.ca.upgrade-accounts.com 69.228.83.3
bell.ca.upgrade-accounts.com 69.65.178.183
bell.ca.upgrade-accounts.com 69.88.210.46
bell.ca.upgrade-accounts.com 70.211.102.143
bell.ca.upgrade-accounts.com 70.220.79.109
bell.ca.upgrade-accounts.com 71.198.190.25
bell.ca.upgrade-accounts.com 71.205.3.107
bell.ca.upgrade-accounts.com 71.235.236.26
bell.ca.upgrade-accounts.com 71.236.171.101
bell.ca.upgrade-accounts.com 71.9.74.21
bell.ca.upgrade-accounts.com 72.188.10.131
bell.ca.upgrade-accounts.com 74.210.179.153
bell.ca.upgrade-accounts.com 75.198.56.175
bell.ca.upgrade-accounts.com 75.254.58.29
bell.ca.upgrade-accounts.com 75.26.163.159
bell.ca.upgrade-accounts.com 75.53.216.199
bell.ca.upgrade-accounts.com 75.64.12.251
bell.ca.upgrade-accounts.com 75.71.206.166
bell.ca.upgrade-accounts.com 76.106.45.169
bell.ca.upgrade-accounts.com 76.121.95.161
bell.ca.upgrade-accounts.com 76.211.231.228
bell.ca.upgrade-accounts.com 76.226.3.189
bell.ca.upgrade-accounts.com 77.126.129.61
bell.ca.upgrade-accounts.com 78.106.15.143
bell.ca.upgrade-accounts.com 79.179.121.187
bell.ca.upgrade-accounts.com 79.182.107.157
bell.ca.upgrade-accounts.com 79.78.247.155
bell.ca.upgrade-accounts.com 79.78.250.33
bell.ca.upgrade-accounts.com 80.186.4.160
bell.ca.upgrade-accounts.com 80.243.252.246
bell.ca.upgrade-accounts.com 81.56.250.159
bell.ca.upgrade-accounts.com 81.56.67.245
bell.ca.upgrade-accounts.com 81.57.3.231
bell.ca.upgrade-accounts.com 82.192.130.213
bell.ca.upgrade-accounts.com 82.224.8.132
bell.ca.upgrade-accounts.com 82.54.130.181
bell.ca.upgrade-accounts.com 83.217.136.210
bell.ca.upgrade-accounts.com 84.215.65.58
bell.ca.upgrade-accounts.com 84.224.17.130
bell.ca.upgrade-accounts.com 84.224.21.84
bell.ca.upgrade-accounts.com 84.224.59.118
bell.ca.upgrade-accounts.com 84.224.74.194
bell.ca.upgrade-accounts.com 84.224.82.197
bell.ca.upgrade-accounts.com 84.99.95.231
bell.ca.upgrade-accounts.com 86.20.198.55
bell.ca.upgrade-accounts.com 86.52.55.254
bell.ca.upgrade-accounts.com 88.169.2.156
bell.ca.upgrade-accounts.com 88.185.146.240
bell.ca.upgrade-accounts.com 88.61.120.136
bell.ca.upgrade-accounts.com 89.195.11.101
bell.ca.upgrade-accounts.com 89.195.203.163
bell.ca.upgrade-accounts.com 89.195.69.140
bell.ca.upgrade-accounts.com 91.67.60.242
bell.ca.upgrade-accounts.com 92.11.210.200
bell.ca.upgrade-accounts.com 92.15.0.90
bell.ca.upgrade-accounts.com 92.41.10.236
bell.ca.upgrade-accounts.com 92.49.112.66
bell.ca.upgrade-accounts.com 93.80.43.196
bell.ca.upgrade-accounts.com 93.81.219.84
bell.ca.upgrade-accounts.com 95.221.8.233
bell.ca.upgrade-accounts.com 98.154.121.106
bell.ca.upgrade-accounts.com 98.193.136.121
bell.ca.upgrade-accounts.com 98.208.170.143
bell.ca.upgrade-accounts.com 98.239.34.67
bell.ca.upgrade-accounts.com 99.144.178.98
ns2.my-toshi-dns.com 216.16.111.15
ns2.my-toshi-dns.com 24.164.252.40
ns2.my-toshi-dns.com 64.150.244.50
ns2.my-toshi-dns.com 66.41.35.61
ns2.my-toshi-dns.com 67.60.51.148
ns2.my-toshi-dns.com 68.61.133.232
ns2.my-toshi-dns.com 69.88.210.46
ns2.my-toshi-dns.com 72.188.10.131
ns2.my-toshi-dns.com 74.137.209.179
ns2.my-toshi-dns.com 76.106.45.169
ns2.my-toshi-dns.com 76.226.3.189
ns2.my-toshi-dns.com 79.182.107.157
ns2.my-toshi-dns.com 82.81.59.108
ns2.my-toshi-dns.com 98.231.216.148
ns2.my-toshi-dns.com 99.144.178.98
ns2.my-toshi-dns.com 99.145.1.33
ns3.the-breakfast-dreams.com 138.210.154.36
ns3.the-breakfast-dreams.com 204.118.0.2
ns3.the-breakfast-dreams.com 216.16.111.15
ns3.the-breakfast-dreams.com 24.224.130.181
ns3.the-breakfast-dreams.com 24.24.222.220
ns3.the-breakfast-dreams.com 64.150.244.50
ns3.the-breakfast-dreams.com 66.56.48.61
ns3.the-breakfast-dreams.com 67.176.38.186
ns3.the-breakfast-dreams.com 67.189.218.254
ns3.the-breakfast-dreams.com 69.88.210.46
ns3.the-breakfast-dreams.com 71.9.74.21
ns3.the-breakfast-dreams.com 75.53.216.199
ns3.the-breakfast-dreams.com 76.106.45.169
ns3.the-breakfast-dreams.com 76.226.3.189
ns3.the-breakfast-dreams.com 79.182.107.157
ns3.the-breakfast-dreams.com 99.144.178.98

Here is a sample of the Paypal version of this phishing campaign . . . the samples received on 02SEP09 actually give the red-letter due date of September 4, 2009.



And this is what the destination website looks like:



paypal.account-verifications.com 121.221.178.220
paypal.account-verifications.com 121.221.27.162
paypal.account-verifications.com 121.221.38.55
paypal.account-verifications.com 124.13.161.90
paypal.account-verifications.com 124.178.143.91
paypal.account-verifications.com 124.178.61.167
paypal.account-verifications.com 138.210.154.36
paypal.account-verifications.com 143.238.217.216
paypal.account-verifications.com 149.84.93.20
paypal.account-verifications.com 173.24.196.107
paypal.account-verifications.com 174.103.124.144
paypal.account-verifications.com 174.112.140.242
paypal.account-verifications.com 189.100.238.142
paypal.account-verifications.com 189.102.0.4
paypal.account-verifications.com 200.181.232.149
paypal.account-verifications.com 200.87.22.27
paypal.account-verifications.com 202.131.190.199
paypal.account-verifications.com 202.181.203.146
paypal.account-verifications.com 202.77.97.227
paypal.account-verifications.com 203.213.76.12
paypal.account-verifications.com 204.118.0.2
paypal.account-verifications.com 207.112.105.241
paypal.account-verifications.com 207.255.141.194
paypal.account-verifications.com 209.226.103.11
paypal.account-verifications.com 212.183.199.25
paypal.account-verifications.com 213.213.224.71
paypal.account-verifications.com 213.77.79.30
paypal.account-verifications.com 213.94.231.25
paypal.account-verifications.com 216.16.111.15
paypal.account-verifications.com 216.209.249.45
paypal.account-verifications.com 216.209.249.62
paypal.account-verifications.com 217.166.213.26
paypal.account-verifications.com 219.83.125.242
paypal.account-verifications.com 220.253.150.163
paypal.account-verifications.com 220.253.17.133
paypal.account-verifications.com 220.253.34.101
paypal.account-verifications.com 220.253.5.151
paypal.account-verifications.com 24.11.189.120
paypal.account-verifications.com 24.161.9.69
paypal.account-verifications.com 24.164.252.40
paypal.account-verifications.com 24.167.235.62
paypal.account-verifications.com 24.176.238.10
paypal.account-verifications.com 24.2.218.189
paypal.account-verifications.com 24.205.113.172
paypal.account-verifications.com 24.215.216.188
paypal.account-verifications.com 24.224.130.181
paypal.account-verifications.com 24.244.131.150
paypal.account-verifications.com 24.95.71.28
paypal.account-verifications.com 58.175.18.110
paypal.account-verifications.com 58.179.58.219
paypal.account-verifications.com 60.53.167.111
paypal.account-verifications.com 64.150.244.50
paypal.account-verifications.com 64.212.203.42
paypal.account-verifications.com 65.202.231.12
paypal.account-verifications.com 65.64.101.64
paypal.account-verifications.com 65.75.110.66
paypal.account-verifications.com 66.169.38.6
paypal.account-verifications.com 66.38.128.32
paypal.account-verifications.com 66.56.48.61
paypal.account-verifications.com 66.68.181.143
paypal.account-verifications.com 67.110.218.85
paypal.account-verifications.com 67.176.38.186
paypal.account-verifications.com 67.189.218.254
paypal.account-verifications.com 67.203.215.110
paypal.account-verifications.com 67.206.200.69
paypal.account-verifications.com 67.206.217.237
paypal.account-verifications.com 67.206.253.9
paypal.account-verifications.com 67.244.94.2
paypal.account-verifications.com 67.55.133.223
paypal.account-verifications.com 67.60.51.148
paypal.account-verifications.com 67.77.32.172
paypal.account-verifications.com 68.127.17.153
paypal.account-verifications.com 68.61.133.232
paypal.account-verifications.com 69.228.200.191
paypal.account-verifications.com 69.228.93.155
paypal.account-verifications.com 69.249.191.186
paypal.account-verifications.com 69.65.178.183
paypal.account-verifications.com 69.88.210.46
paypal.account-verifications.com 70.208.53.169
paypal.account-verifications.com 70.220.128.146
paypal.account-verifications.com 71.198.190.25
paypal.account-verifications.com 71.205.3.107
paypal.account-verifications.com 71.59.170.64
paypal.account-verifications.com 72.188.10.131
paypal.account-verifications.com 72.191.126.193
paypal.account-verifications.com 72.228.110.6
paypal.account-verifications.com 74.137.209.179
paypal.account-verifications.com 74.138.241.23
paypal.account-verifications.com 74.138.245.15
paypal.account-verifications.com 74.210.179.153
paypal.account-verifications.com 74.76.198.115
paypal.account-verifications.com 74.76.201.187
paypal.account-verifications.com 75.198.244.63
paypal.account-verifications.com 75.199.44.68
paypal.account-verifications.com 75.53.213.231
paypal.account-verifications.com 75.64.12.251
paypal.account-verifications.com 75.71.206.166
paypal.account-verifications.com 76.106.45.169
paypal.account-verifications.com 76.121.95.161
paypal.account-verifications.com 76.211.231.228
paypal.account-verifications.com 76.226.3.189
paypal.account-verifications.com 76.251.30.161
paypal.account-verifications.com 76.251.30.217
paypal.account-verifications.com 77.126.129.61
paypal.account-verifications.com 77.126.224.30
paypal.account-verifications.com 77.98.104.107
paypal.account-verifications.com 78.106.150.21
paypal.account-verifications.com 78.106.36.178
paypal.account-verifications.com 79.182.107.157
paypal.account-verifications.com 79.78.132.207
paypal.account-verifications.com 79.78.174.115
paypal.account-verifications.com 79.78.194.155
paypal.account-verifications.com 80.2.198.148
paypal.account-verifications.com 80.243.252.246
paypal.account-verifications.com 80.243.255.209
paypal.account-verifications.com 81.56.250.159
paypal.account-verifications.com 81.56.67.245
paypal.account-verifications.com 81.57.3.231
paypal.account-verifications.com 82.192.130.213
paypal.account-verifications.com 82.224.8.132
paypal.account-verifications.com 82.54.130.181
paypal.account-verifications.com 82.81.59.108
paypal.account-verifications.com 83.217.136.210
paypal.account-verifications.com 84.215.65.58
paypal.account-verifications.com 84.224.110.22
paypal.account-verifications.com 84.224.123.17
paypal.account-verifications.com 84.224.41.3
paypal.account-verifications.com 84.224.79.166
paypal.account-verifications.com 84.224.86.75
paypal.account-verifications.com 84.99.63.200
paypal.account-verifications.com 85.156.144.24
paypal.account-verifications.com 85.156.191.12
paypal.account-verifications.com 85.218.15.247
paypal.account-verifications.com 86.20.198.55
paypal.account-verifications.com 88.169.2.156
paypal.account-verifications.com 88.185.146.240
paypal.account-verifications.com 89.178.117.148
paypal.account-verifications.com 89.195.143.55
paypal.account-verifications.com 89.195.70.163
paypal.account-verifications.com 89.242.111.217
paypal.account-verifications.com 91.107.224.186
paypal.account-verifications.com 91.67.60.242
paypal.account-verifications.com 93.80.41.163
paypal.account-verifications.com 94.197.114.111
paypal.account-verifications.com 98.151.171.171
paypal.account-verifications.com 98.154.122.245
paypal.account-verifications.com 98.193.136.121
paypal.account-verifications.com 98.208.170.143
paypal.account-verifications.com 98.231.216.148
paypal.account-verifications.com 98.239.34.67
paypal.account-verifications.com 98.249.93.67
paypal.account-verifications.com 99.139.126.44
paypal.account-verifications.com 99.141.212.29
paypal.account-verifications.com 99.144.178.98
paypal.account-verifications.com 99.145.1.33
paypal.account-verifications.com 99.154.247.41

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.