[nsp-sec] active Bank of America phish site

Smith, Donald Donald.Smith at qwest.com
Tue Jun 17 13:29:44 EDT 2008 

First ACK for our one customer.

Second this appears to be double fast fluxed so there may not be much
forensics material available in the first level as the first level
likely just has a port forwarder on it.

They are using some of the same ips for the site and the first level
site dbhttserv19.com.
I suspect someone will find this is set up for more then just BOA.


dig sitebankofamerica.virtual.access.key.dbhttserv19.com
; <<>> DiG 8.1 <<>> sitebankofamerica.virtual.access.key.dbhttserv19.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 5, ADDITIONAL: 0
;; QUERY SECTION:
;;      sitebankofamerica.virtual.access.key.dbhttserv19.com, type = A,
class =
IN
;; ANSWER SECTION:
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
93.177.134.225
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
79.118.190.116
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
71.94.239.167
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
77.81.49.159
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
217.20.91.220
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
85.102.191.88
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
195.56.29.103
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
205.215.222.195
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
59.22.182.42
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
84.109.48.171
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
86.121.163.102
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
41.200.130.14
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
89.40.248.145
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
92.81.169.88
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
88.234.197.79
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
79.186.148.18
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
82.77.114.147
sitebankofamerica.virtual.access.key.dbhttserv19.com.  1m44s IN A
83.24.117.44

;; AUTHORITY SECTION:
dbhttserv19.com.        1d23h58m44s IN NS  ns4.godns1334.com.
dbhttserv19.com.        1d23h58m44s IN NS  ns2.godns1334.com.
dbhttserv19.com.        1d23h58m44s IN NS  ns1.godns1334.com.
dbhttserv19.com.        1d23h58m44s IN NS  ns3.godns1334.com.
dbhttserv19.com.        1d23h58m44s IN NS  ns5.godns1334.com.

dig dbhttserv19.com
; <<>> DiG 8.1 <<>> dbhttserv19.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 5, ADDITIONAL: 0
;; QUERY SECTION:
;;      dbhttserv19.com, type = A, class = IN
;; ANSWER SECTION:
dbhttserv19.com.        3M IN A         71.94.239.167
dbhttserv19.com.        3M IN A         195.56.29.103
dbhttserv19.com.        3M IN A         85.102.191.88
dbhttserv19.com.        3M IN A         93.177.145.205
dbhttserv19.com.        3M IN A         86.121.163.102
dbhttserv19.com.        3M IN A         81.190.178.144
dbhttserv19.com.        3M IN A         205.215.222.195
dbhttserv19.com.        3M IN A         83.4.223.175
dbhttserv19.com.        3M IN A         85.121.60.51
dbhttserv19.com.        3M IN A         201.76.248.245
dbhttserv19.com.        3M IN A         88.234.197.79
dbhttserv19.com.        3M IN A         79.119.120.169
dbhttserv19.com.        3M IN A         77.127.180.246
dbhttserv19.com.        3M IN A         77.103.39.131
dbhttserv19.com.        3M IN A         77.81.49.159
;; AUTHORITY SECTION:
dbhttserv19.com.        1d23h58m2s IN NS  ns4.godns1334.com.
dbhttserv19.com.        1d23h58m2s IN NS  ns2.godns1334.com.
dbhttserv19.com.        1d23h58m2s IN NS  ns1.godns1334.com.
dbhttserv19.com.        1d23h58m2s IN NS  ns3.godns1334.com.
dbhttserv19.com.        1d23h58m2s IN NS  ns5.godns1334.com.

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Justin M. Streiner
> Sent: Tuesday, June 17, 2008 10:46 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] active Bank of America phish site
> 
> ----------- nsp-security Confidential --------
> 
> The phish site 
> (sitebankofamerica.virtual.access.key.dbhttserv19.com) is 
> currently active.  If anyone can help stomp on the hosts 
> behind that site 
> or the NS/SOAs, it would be greatly appreciated :)  I'm also sure the 
> BofA security guys would love any forensic evidence that can 
> be gathered 
> from the boxes...
> 
> The site is active as of 15:30 GMT today, but it's possible 
> that not all 
> of the hosts below are still actively serving the content, 
> i.e. some hosts 
> might have already been taken down.
> 
> It seems to be fairly well oranized, given the distribution 
> of the name 
> servers.  Perhaps this is another RBN mutation?
> 
> asn	| ip_addr		| rir	| org_name
> 209	| 205.215.222.195	| ARIN	| ASN-QWEST
<SNIP>


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list