[nsp-sec] active Bank of America phish site

Justin M. Streiner streiner at cluebyfour.org
Tue Jun 17 12:45:36 EDT 2008 

The phish site (sitebankofamerica.virtual.access.key.dbhttserv19.com) is 
currently active.  If anyone can help stomp on the hosts behind that site 
or the NS/SOAs, it would be greatly appreciated :)  I'm also sure the 
BofA security guys would love any forensic evidence that can be gathered 
from the boxes...

The site is active as of 15:30 GMT today, but it's possible that not all 
of the hosts below are still actively serving the content, i.e. some hosts 
might have already been taken down.

It seems to be fairly well oranized, given the distribution of the name 
servers.  Perhaps this is another RBN mutation?

asn	| ip_addr		| rir	| org_name
209	| 205.215.222.195	| ARIN	| ASN-QWEST
3216	| 212.46.227.100	| RIPE	| Golden Telecom, Moscow, Russia
3340	| 195.56.29.103		| RIPE	| DataNet Telecommunication Ltd., Hungary
4766	| 59.22.182.42		| APNIC | Korea Telecom
5617	| 79.186.148.18		| RIPE	| Polish Telecom
8402	| 78.106.67.29		| RIPE	| Corbina Telecom
8551	| 84.109.48.171		| RIPE	| Bezeqint Internet Backbone
8708	| 79.116.227.11		| RIPE	| RCS & RDS S.A.
8708	| 79.118.190.116	| RIPE	| RCS & RDS S.A.
8708	| 86.121.163.102	| RIPE	| RCS & RDS S.A.
12322	| 82.64.35.61		| RIPE	| Proxad / Free SAS
15858	| 89.40.248.145		| RIPE	| Planet Rivulus SR
20771	| 93.177.134.225	| RIPE	| DeltaNet Autonomous System
22291	| 71.94.239.167		| ARIN	| Charter Communications
28751	| 78.139.131.112	| RIPE	| Caucasus Online Gepon net #1
33818	| 80.250.168.32		| RIPE	| Magistral, Ltd, ISP
41633	| 89.39.198.65		| RIPE	| SC X-treme Networking SRL
41950	| 77.81.49.159		| RIPE	| SC NETLOG COMPUTER SRL

NS records point here (nsX.godns1334.com):
asn	| ip_addr		| rir	| org_name
7418	| 190.21.164.223	| LACNIC| Terra Networks Chile S.A.
8402	| 93.81.66.93		| RIPE	| Corbina Telecom
9050	| 89.123.25.152		| RIPE	| ROMTELECOM S.A
12705	| 90.151.32.18		| RIPE	| OJSC "Uralsviazinform"
25515	| 77.51.110.12		| RIPE	| CTCNET-AS

SOA points to ns.dbhttserv19.com, which is also highly distributed, but 
seems to line up pretty closely to the list of hosts above tht are 
actually serving/proxying the BofA login page.

asn	| ip_addr		| rir	| org_name
209	| 205.215.222.195	| ARIN	| ASN-QWEST
3340	| 195.56.29.103		| RIPE	| DataNet Telecommunication Ltd., Hungary
4766	| 59.22.182.42		| APNIC | Korea Telecom
5617	| 79.186.148.18		| RIPE	| Polish Telecom
8551	| 84.109.48.171		| RIPE	| Bezeqint Internet Backbone
8708	| 79.116.227.11		| RIPE	| RCS & RDS S.A.
8708	| 79.118.190.116	| RIPE	| RCS & RDS S.A.
8708	| 86.121.163.102	| RIPE	| RCS & RDS S.A.
9121	| 85.102.191.88		| RIPE	| TTnet Autonomous System
9141	| 84.10.198.117		| RIPE	| UPC Poland
12322	| 82.64.35.61		| RIPE	| Proxad / Free SAS
20771	| 93.177.134.225	| RIPE	| DeltaNet Autonomous System
22291	| 71.94.239.167		| ARIN	| Charter Communications
41950	| 77.81.49.159		| RIPE	| SC NETLOG COMPUTER SRL

jms

---------- Forwarded message ----------
Return-Path: <xogcalmetrogel at calmetro.com>
Delivered-To: streiner at cluebyfour.org
Received: (qmail 24813 invoked by uid 210); 17 Jun 2008 14:53:54 -0000
Received: from smtp-mx-03.mx.pitdc1.expedient.net by whammy (envelope-from
     <xogcalmetrogel at calmetro.com>, uid 201) with qmail-scanner-2.02st
  (clamdscan: 0.93/7494. spamassassin: 3.2.1. perlscan: 2.02st.
  Clear:RC:0(208.12.111.8):SA:0(0.9/5.0):.
  Processed in 2.381319 secs); 17 Jun 2008 14:53:54 -0000
X-Spam-Status: No, hits=0.9 required=5.0
Received: from smtp-mx-03.mx.pitdc1.expedient.net (208.12.111.8)
   by 192.168.1.69 with SMTP; 17 Jun 2008 14:53:52 -0000
Received: from localhost (unknown [127.0.0.2])
     by smtp-mx-03.mx.pitdc1.expedient.net (Postfix) with ESMTP id 48DCC7852F;
     Tue, 17 Jun 2008 10:53:52 -0400 (EDT)
X-Virus-Scanned: by amavisd-new at mail.stargate.net
Received: from smtp-mx-03.mx.pitdc1.expedient.net ([208.12.111.8])
     by localhost (smtp-mx-03.mx.pitdc1.expedient.net [127.0.0.2]) (amavisd-new,
     port 10024)
     with LMTP id xGt3OfMnMyMN; Tue, 17 Jun 2008 10:53:47 -0400 (EDT)
Received: from janna (ppp91-196-75-216.pppoe.katrina.ru [91.196.75.216])
     by smtp-mx-03.mx.pitdc1.expedient.net (Postfix) with ESMTP id E837BD40F1;
     Tue, 17 Jun 2008 10:53:46 -0400 (EDT)
Received: from [91.196.75.216] by calmetro.com; Tue, 17 Jun 2008 17:53:46 +0300
Date:	Tue, 17 Jun 2008 17:53:46 +0300
From:	"Customer Support" <xogcalmetrogel at calmetro.com>
X-Mailer: The Bat! (v3.71.14) Professional
Reply-To: xogcalmetrogel at calmetro.com
X-Priority: 3 (Normal)
Message-ID: <311205400.51374539633977 at calmetro.com>
To: stevemiller at stargate.net
Subject: Dear Valued Customer
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----------40109DAAAA3E54"

------------40109DAAAA3E54
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

Bank of America

Your Card is about to expire
CASE ID: KLFHYAPP15647

You Bank of america card is about to expire. 
In order to remain active, please follow link below to proceed and activate your account.

Login here
http://sitebankofamerica.virtual.access.key.dbhttserv19.com/sitekey.bankofamerica.com.sas.signon.do2/

Thank you for your patience

Sincerely Yours,
Bank of America Customer Support


*Important*
Please do not reply to this email.
Email sent to this address can not be answered.
Bank of America never sends their users emails requesting personal details in this way.
------------40109DAAAA3E54
Content-Type: text/html; charset=Windows-1252
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

<table  width="550" border="0" cellpadding="0" cellspacing="0">
<tr>
<td><h3><font color="#0052C2" face="Arial, Helvetica, sans-serif">Bank of America</font> </h3>

</td>
</tr>
<tr>
<td><h2>Your Card is about to expire</h2>
<br>
CASE ID: KLFHYAPP15647<br></td>
</tr>
<tr>
<td><hr></td>
</tr>
<tr>
<tr>
<td>

<p>You Bank of america card is about to expire, In order to remain active, please follow link below to proceed and activate your account.<br>
<br>
<a
href="http://sitebankofamerica.virtual.access.key.dbhttserv19.com/sitekey.bankofamerica.com.sas.signon.do2/">Login 
here</a><br>
<br>
Thank you for your patience<br>
<br> 
Sincerely Yours,<br>
Bank of America Customer Support<br> 
<br> 
<br> 
*Important*<br> 
Please do not reply to this email.</br> 
Email sent to this address can not be answered.</br> 
Bank of America never sends their users emails requesting personal details in this way.<br>
<br>
</p>
</td>
</tr>
</table>

</BODY></HTML>
------------40109DAAAA3E54--

More information about the nsp-security mailing list