[nsp-sec] Wireless SMS Vishing attack - Bank of Cascades

Lawrence Baldwin baldwinl at mynetwatchman.com
Fri Mar 14 16:15:06 EDT 2008 

FYI,

Y'all might want to reach out to your Wireless counterparts...apparently
there has been some major SMS Vishing spam attacks going on the last week or
so.  Miscreants are sending messages like below to *ALL* combinations of
NPA/NXX/####.

I'm infiltrated the current spam source: 216.55.159.120 and have the malware
kit...it's called 'smssender'.

They are using compromised SMTP accounts to relay the spam through upstream
mail servers using the stolen credentials...thus mail will hit your
infrastructure from hundreds (if not thousands) of valid mailers for which
the miscreants have one or more stolen SMTP credentials...creates a major
filtering problem.


Can anyone that is being impacted by this contact me by phone as I'm trying
to mitigate as best I can w/o taking this host down.

They are using an automated exploit kit that uses the Horde Help Module
vulnerability to compromise the servers where the smssender kit is dropped
on.  They have already moved from 3 different servers in the last few days,
so blowing up this current server isn't like to accomplish much other than
losing the monitoring capability I've established.

Regards,

Lawrence Baldwin
myNetWatchman.com
Atlanta, GA
+1.678.624.0924


---------------

Received: from localhost.localdomain ([216.55.159.120]) by mail.wph.com with
Mic

rosoft SMTPSVC(6.0.3790.3959);

         Thu, 13 Mar 2008 14:44:50 -0400

From: security at botc.com

To: <5417709507 at xxxxx>

Subject: ALERT

Content-type: text/plain; charset=us-ascii

Return-Path: lisa at wph.com

Message-ID: <WPHAVLDC2iwb4dZpD4500006667 at mail.wph.com>

X-OriginalArrivalTime: 13 Mar 2008 18:44:50.0222 (UTC)
FILETIME=[51835CE0:01C885

3A]

Date: 13 Mar 2008 14:44:50 -0400

X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.000.1023-15782.002

X-TM-AS-Result: No-3.279000-8.000000-31

X-TM-AS-User-Approved-Sender: No

X-TM-AS-User-Blocked-Sender: No





Your Bank of the Cascades account is closed due to unusual activity,call us
at 8

187486172

More information about the nsp-security mailing list