[nsp-sec] active Bank of America phish site

Smith, Donald Donald.Smith at qwest.com
Tue Jun 17 14:52:09 EDT 2008 

Limited reachability within some networks now:)


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Justin M. Streiner
> Sent: Tuesday, June 17, 2008 10:46 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] active Bank of America phish site
> 
> ----------- nsp-security Confidential --------
> 
> The phish site 
> (sitebankofamerica.virtual.access.key.dbhttserv19.com) is 
> currently active.  If anyone can help stomp on the hosts 
> behind that site 
> or the NS/SOAs, it would be greatly appreciated :)  I'm also sure the 
> BofA security guys would love any forensic evidence that can 
> be gathered 
> from the boxes...
> 
> The site is active as of 15:30 GMT today, but it's possible 
> that not all 
> of the hosts below are still actively serving the content, 
> i.e. some hosts 
> might have already been taken down.
> 
> It seems to be fairly well oranized, given the distribution 
> of the name 
> servers.  Perhaps this is another RBN mutation?
> 
> asn	| ip_addr		| rir	| org_name
> 209	| 205.215.222.195	| ARIN	| ASN-QWEST
> 3216	| 212.46.227.100	| RIPE	| Golden Telecom, Moscow, Russia
> 3340	| 195.56.29.103		| RIPE	| DataNet 
> Telecommunication Ltd., Hungary
> 4766	| 59.22.182.42		| APNIC | Korea Telecom
> 5617	| 79.186.148.18		| RIPE	| Polish Telecom
> 8402	| 78.106.67.29		| RIPE	| Corbina Telecom
> 8551	| 84.109.48.171		| RIPE	| Bezeqint Internet Backbone
> 8708	| 79.116.227.11		| RIPE	| RCS & RDS S.A.
> 8708	| 79.118.190.116	| RIPE	| RCS & RDS S.A.
> 8708	| 86.121.163.102	| RIPE	| RCS & RDS S.A.
> 12322	| 82.64.35.61		| RIPE	| Proxad / Free SAS
> 15858	| 89.40.248.145		| RIPE	| Planet Rivulus SR
> 20771	| 93.177.134.225	| RIPE	| DeltaNet Autonomous System
> 22291	| 71.94.239.167		| ARIN	| Charter Communications
> 28751	| 78.139.131.112	| RIPE	| Caucasus Online Gepon net #1
> 33818	| 80.250.168.32		| RIPE	| Magistral, Ltd, ISP
> 41633	| 89.39.198.65		| RIPE	| SC X-treme Networking SRL
> 41950	| 77.81.49.159		| RIPE	| SC NETLOG COMPUTER SRL
> 
> NS records point here (nsX.godns1334.com):
> asn	| ip_addr		| rir	| org_name
> 7418	| 190.21.164.223	| LACNIC| Terra Networks Chile S.A.
> 8402	| 93.81.66.93		| RIPE	| Corbina Telecom
> 9050	| 89.123.25.152		| RIPE	| ROMTELECOM S.A
> 12705	| 90.151.32.18		| RIPE	| OJSC "Uralsviazinform"
> 25515	| 77.51.110.12		| RIPE	| CTCNET-AS
> 
> SOA points to ns.dbhttserv19.com, which is also highly 
> distributed, but 
> seems to line up pretty closely to the list of hosts above tht are 
> actually serving/proxying the BofA login page.
> 
> asn	| ip_addr		| rir	| org_name
> 209	| 205.215.222.195	| ARIN	| ASN-QWEST
> 3340	| 195.56.29.103		| RIPE	| DataNet 
> Telecommunication Ltd., Hungary
> 4766	| 59.22.182.42		| APNIC | Korea Telecom
> 5617	| 79.186.148.18		| RIPE	| Polish Telecom
> 8551	| 84.109.48.171		| RIPE	| Bezeqint Internet Backbone
> 8708	| 79.116.227.11		| RIPE	| RCS & RDS S.A.
> 8708	| 79.118.190.116	| RIPE	| RCS & RDS S.A.
> 8708	| 86.121.163.102	| RIPE	| RCS & RDS S.A.
> 9121	| 85.102.191.88		| RIPE	| TTnet Autonomous System
> 9141	| 84.10.198.117		| RIPE	| UPC Poland
> 12322	| 82.64.35.61		| RIPE	| Proxad / Free SAS
> 20771	| 93.177.134.225	| RIPE	| DeltaNet Autonomous System
> 22291	| 71.94.239.167		| ARIN	| Charter Communications
> 41950	| 77.81.49.159		| RIPE	| SC NETLOG COMPUTER SRL
> 
> jms
> 
> ---------- Forwarded message ----------
> Return-Path: <xogcalmetrogel at calmetro.com>
> Delivered-To: streiner at cluebyfour.org
> Received: (qmail 24813 invoked by uid 210); 17 Jun 2008 14:53:54 -0000
> Received: from smtp-mx-03.mx.pitdc1.expedient.net by whammy 
> (envelope-from
>      <xogcalmetrogel at calmetro.com>, uid 201) with qmail-scanner-2.02st
>   (clamdscan: 0.93/7494. spamassassin: 3.2.1. perlscan: 2.02st.
>   Clear:RC:0(208.12.111.8):SA:0(0.9/5.0):.
>   Processed in 2.381319 secs); 17 Jun 2008 14:53:54 -0000
> X-Spam-Status: No, hits=0.9 required=5.0
> Received: from smtp-mx-03.mx.pitdc1.expedient.net (208.12.111.8)
>    by 192.168.1.69 with SMTP; 17 Jun 2008 14:53:52 -0000
> Received: from localhost (unknown [127.0.0.2])
>      by smtp-mx-03.mx.pitdc1.expedient.net (Postfix) with 
> ESMTP id 48DCC7852F;
>      Tue, 17 Jun 2008 10:53:52 -0400 (EDT)
> X-Virus-Scanned: by amavisd-new at mail.stargate.net
> Received: from smtp-mx-03.mx.pitdc1.expedient.net ([208.12.111.8])
>      by localhost (smtp-mx-03.mx.pitdc1.expedient.net 
> [127.0.0.2]) (amavisd-new,
>      port 10024)
>      with LMTP id xGt3OfMnMyMN; Tue, 17 Jun 2008 10:53:47 -0400 (EDT)
> Received: from janna (ppp91-196-75-216.pppoe.katrina.ru 
> [91.196.75.216])
>      by smtp-mx-03.mx.pitdc1.expedient.net (Postfix) with 
> ESMTP id E837BD40F1;
>      Tue, 17 Jun 2008 10:53:46 -0400 (EDT)
> Received: from [91.196.75.216] by calmetro.com; Tue, 17 Jun 
> 2008 17:53:46 +0300
> Date:	Tue, 17 Jun 2008 17:53:46 +0300
> From:	"Customer Support" <xogcalmetrogel at calmetro.com>
> X-Mailer: The Bat! (v3.71.14) Professional
> Reply-To: xogcalmetrogel at calmetro.com
> X-Priority: 3 (Normal)
> Message-ID: <311205400.51374539633977 at calmetro.com>
> To: stevemiller at stargate.net
> Subject: Dear Valued Customer
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>    boundary="----------40109DAAAA3E54"
> 
> ------------40109DAAAA3E54
> Content-Type: text/plain; charset=Windows-1252
> Content-Transfer-Encoding: 7bit
> 
> Bank of America
> 
> Your Card is about to expire
> CASE ID: KLFHYAPP15647
> 
> You Bank of america card is about to expire. 
> In order to remain active, please follow link below to 
> proceed and activate your account.
> 
> Login here
> http://sitebankofamerica.virtual.access.key.dbhttserv19.com/si
> tekey.bankofamerica.com.sas.signon.do2/
> 
> Thank you for your patience
> 
> Sincerely Yours,
> Bank of America Customer Support
> 
> 
> *Important*
> Please do not reply to this email.
> Email sent to this address can not be answered.
> Bank of America never sends their users emails requesting 
> personal details in this way.
> ------------40109DAAAA3E54
> Content-Type: text/html; charset=Windows-1252
> Content-Transfer-Encoding: 7bit
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <HTML><HEAD><TITLE></TITLE>
> </HEAD>
> <BODY>
> 
> <table  width="550" border="0" cellpadding="0" cellspacing="0">
> <tr>
> <td><h3><font color="#0052C2" face="Arial, Helvetica, 
> sans-serif">Bank of America</font> </h3>
> 
> </td>
> </tr>
> <tr>
> <td><h2>Your Card is about to expire</h2>
> <br>
> CASE ID: KLFHYAPP15647<br></td>
> </tr>
> <tr>
> <td><hr></td>
> </tr>
> <tr>
> <tr>
> <td>
> 
> <p>You Bank of america card is about to expire, In order to 
> remain active, please follow link below to proceed and 
> activate your account.<br>
> <br>
> <a
> href="http://sitebankofamerica.virtual.access.key.dbhttserv19.
> com/sitekey.bankofamerica.com.sas.signon.do2/">Login 
> here</a><br>
> <br>
> Thank you for your patience<br>
> <br> 
> Sincerely Yours,<br>
> Bank of America Customer Support<br> 
> <br> 
> <br> 
> *Important*<br> 
> Please do not reply to this email.</br> 
> Email sent to this address can not be answered.</br> 
> Bank of America never sends their users emails requesting 
> personal details in this way.<br>
> <br>
> </p>
> </td>
> </tr>
> </table>
> 
> </BODY></HTML>
> ------------40109DAAAA3E54--
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list