[nsp-sec] AS 10316 upstream AS3356 -> level3 SMS spam

Smith, Donald Donald.Smith at qwest.com
Thu Mar 13 15:45:34 EDT 2008 

Thanks to Level 3 for their rapid response to this incident.
I don't think it is over but the phone numbers that I am aware of are no
longer available at least to qwest customers:)

Cascade bank is also very thankful although unaware of the specific
measures we used to help get this slowed or stopped.

LB is assisting with forensics on one of the machines that was sending
the emails to our smtp<->sms gateway if I get details I will share as
much as possible.




RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Campisano, Mario [mailto:Mario.Campisano at Level3.com] 
> Sent: Thursday, March 13, 2008 12:04 PM
> To: Smith, Donald; nsp-security at puck.nether.net
> Subject: RE: Re: [nsp-sec] AS 10316 upstream AS3356 -> level3 SMS spam
> 
> Donald,
> 
>     I will forward this to our telephone fraud team, minus 
> the NSP information.
> 
> Thank you,
> Mario Campisano
> Manager
> IPD&S Network Security Lead Support/
> Network Security Services
> Level 3 Communications, LLC
> abuse at level3.com
> securityoperations at level3.com
> 
> --------------------------------------------------------------
> ----------------------
> 
> CONFIDENTIALITY NOTICE:
> THE INFORMATION CONTAINED IN THIS MESSAGE MAY BE ATTORNEY 
> PRIVILEGED AND CONFIDENTIAL INFORMATION INTENDED ONLY FOR THE 
> USE OF THE INDIVIDUALS OR ENTITIES NAMED ABOVE. IF THE READER 
> OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR THE 
> EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERY OF IT TO THE 
> INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY 
> DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION 
> IS STRICTLY PROHIBITED. IF YOU RECEIVED THIS COMMUNICATION IN 
> ERROR, PLEASE IMMEDIATELY NOTIFY ME BY TELEPHONE OR E-MAIL, 
> AND DESTROY THIS MESSAGE. THANK YOU.
> 
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> > bounces at puck.nether.net] On Behalf Of Smith, Donald
> > Sent: Thursday, March 13, 2008 1:52 PM
> > To: nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] AS 10316 upstream AS3356 -> level3 SMS spam
> >
> > ----------- nsp-security Confidential --------
> >
> > A few more details.
> > I have heard that Verizon and Sprint are seeing this also that was
> > relayed to me so its just hearsay.
> >
> > These are some of the VICTIMS of spam from 82.165.178.6 I am seeing
> > based on netflow records.
> >
> > 20115   | 24.176.93.243    | CHARTER-NET-HKY-NC - Charter 
> Communications
> > 20124   | 208.101.173.142  | DE-TELECOMM - D&E Communications
> > 20124   | 66.109.227.37    | DE-TELECOMM - D&E Communications
> > 20124   | 66.109.241.21    | DE-TELECOMM - D&E Communications
> >
> > There several phone numbers involved.
> > Here is the list of phone numbers being used in the vishing attack
> > with a partial thread below showing some of the msgs being used.
> >
> > 818.237.5717
> > 860.556.4654
> > 870.292.4253
> > 845.868.4215
> >
> >
> > Headers for those who need them or are tracking this vhishing crew.
> > I sanitized the TO line.
> >
> > DATE: 03/13/08 15:41:53 GMT
> > IP: wsip-24-234-51-98.lv.lv.cox.net ::ffff:24.234.51.98
> > HELO: server.crowneclosets.com
> > env_From: <abuse at crowneclosets.com>  mail_host=crowneclosets.com.
> > env_To: <xxxxxx at qwestmp.com>  addr=xxxxxx at qwestmp.com  dir=
> >
> > Received: from localhost.localdomain ([216.55.159.120]) by
> > server.crowneclosets.com with Microsoft SMTPSVC(6.0.3790.3959);
> > Thu, 13 Mar 2008 08:32:52 -0700
> > From: service at botc.com
> > To: <5415048428 at qwestmp.com>
> > Subject: CASCADES
> > Content-type: text/plain; charset=us-ascii
> > Return-Path: abuse at crowneclosets.com
> > Message-ID: <SERVERliRtUvh18cbKT00000644 at server.crowneclosets.com>
> > X-OriginalArrivalTime: 13 Mar 2008 15:32:52.0500 (UTC)
> > FILETIME=[806A7540:01C885 1F]
> > Date: 13 Mar 2008 08:32:52 -0700
> >
> >
> > Your Bank of the Cascades account is closed due to unusual 
> activity,call
> > us at 8 605564654.
> >
> > Your Horizon Credit Union bill service is expired,for renewal please
> > call us toll-free 870.292.4253 ASAP
> >
> > Your Salt Lake Credit Union bill service is expired,for 
> renewal please
> > call us toll-free 845.868.4215 ASAP
> >
> >
> > RM=for(1)
> > {manage_risk(identify_risk(product[i++]) &&
> > (identify_threat[product[i++]))}
> > Donald.Smith at qwest.com giac
> >
> > > -----Original Message-----
> > > From: nsp-security-bounces at puck.nether.net
> > > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > > Smith, Donald
> > > Sent: Thursday, March 13, 2008 10:07 AM
> > > To: nsp-security at puck.nether.net
> > > Subject: [nsp-sec] AS 10316 upstream AS3356 -> level3 SMS
> > > spam points to8182375717
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > We are seeing 216.55.159.120 as the source of a SMS spam 
> for a vishing
> > > attempt against cascades bank.
> > > Here is the basic vishing scheme.
> > > http://800notes.com/Phone.aspx/1-818-237-5717
> > >
> > <SNIP>
> >
> > >
> > > We really need to get the phone number involved taken 
> down but I don't
> > > know how to get that done?
> > > The current phone number is 8182375717 which appears to 
> be a level3
> > > phone in burbank but with number portablility who knows 
> who has this
> > > number. It has been used in vishing since nov of 2007.
> > > H8Hz
> > > Donald.Smith at qwest.com giac
> >
> >
> > This communication is the property of Qwest and may contain 
> confidential
> > or
> > privileged information. Unauthorized use of this 
> communication is strictly
> > prohibited and may be unlawful.  If you have received this 
> communication
> > in error, please immediately notify the sender by reply 
> e-mail and destroy
> > all copies of the communication and any attachments.
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security
> > counter-measures.
> > _______________________________________________
>

More information about the nsp-security mailing list