[nsp-sec] AS 10316 upstream AS3356 -> level3 SMS spam
Smith, Donald
Donald.Smith at qwest.com
Thu Mar 13 13:51:54 EDT 2008
A few more details.
I have heard that Verizon and Sprint are seeing this also that was
relayed to me so its just hearsay.
These are some of the VICTIMS of spam from 82.165.178.6 I am seeing
based on netflow records.
20115 | 24.176.93.243 | CHARTER-NET-HKY-NC - Charter Communications
20124 | 208.101.173.142 | DE-TELECOMM - D&E Communications
20124 | 66.109.227.37 | DE-TELECOMM - D&E Communications
20124 | 66.109.241.21 | DE-TELECOMM - D&E Communications
There several phone numbers involved.
Here is the list of phone numbers being used in the vishing attack
with a partial thread below showing some of the msgs being used.
818.237.5717
860.556.4654
870.292.4253
845.868.4215
Headers for those who need them or are tracking this vhishing crew.
I sanitized the TO line.
DATE: 03/13/08 15:41:53 GMT
IP: wsip-24-234-51-98.lv.lv.cox.net ::ffff:24.234.51.98
HELO: server.crowneclosets.com
env_From: <abuse at crowneclosets.com> mail_host=crowneclosets.com.
env_To: <xxxxxx at qwestmp.com> addr=xxxxxx at qwestmp.com dir=
Received: from localhost.localdomain ([216.55.159.120]) by
server.crowneclosets.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 13 Mar 2008 08:32:52 -0700
From: service at botc.com
To: <5415048428 at qwestmp.com>
Subject: CASCADES
Content-type: text/plain; charset=us-ascii
Return-Path: abuse at crowneclosets.com
Message-ID: <SERVERliRtUvh18cbKT00000644 at server.crowneclosets.com>
X-OriginalArrivalTime: 13 Mar 2008 15:32:52.0500 (UTC)
FILETIME=[806A7540:01C885 1F]
Date: 13 Mar 2008 08:32:52 -0700
Your Bank of the Cascades account is closed due to unusual activity,call
us at 8 605564654.
Your Horizon Credit Union bill service is expired,for renewal please
call us toll-free 870.292.4253 ASAP
Your Salt Lake Credit Union bill service is expired,for renewal please
call us toll-free 845.868.4215 ASAP
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Smith, Donald
> Sent: Thursday, March 13, 2008 10:07 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] AS 10316 upstream AS3356 -> level3 SMS
> spam points to8182375717
>
> ----------- nsp-security Confidential --------
>
> We are seeing 216.55.159.120 as the source of a SMS spam for a vishing
> attempt against cascades bank.
> Here is the basic vishing scheme.
> http://800notes.com/Phone.aspx/1-818-237-5717
>
<SNIP>
>
> We really need to get the phone number involved taken down but I don't
> know how to get that done?
> The current phone number is 8182375717 which appears to be a level3
> phone in burbank but with number portablility who knows who has this
> number. It has been used in vishing since nov of 2007.
> H8Hz
> Donald.Smith at qwest.com giac
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list