[nsp-sec] Wireless SMS Vishing attack - Bank of Cascades - need Flow help 82.165.237.84 AS8560 schlund.net
Lawrence Baldwin
baldwinl at mynetwatchman.com
Fri Mar 14 19:05:20 EDT 2008
I have backtraced the miscreant a couple more hops upstream...miscreants
were controlling the 216.55.159.120 from a hacked box on Godaddy:
208.109.22.1 . That box in turn had an inbound SSH login from:
82.165.237.84
Anyone have any intel and/or Flow on 82.165.237.84
Regards,
Lawrence.
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Lawrence Baldwin
Sent: Friday, March 14, 2008 16:15
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Wireless SMS Vishing attack - Bank of Cascades
----------- nsp-security Confidential --------
FYI,
Y'all might want to reach out to your Wireless counterparts...apparently
there has been some major SMS Vishing spam attacks going on the last week or
so. Miscreants are sending messages like below to *ALL* combinations of
NPA/NXX/####.
I'm infiltrated the current spam source: 216.55.159.120 and have the malware
kit...it's called 'smssender'.
They are using compromised SMTP accounts to relay the spam through upstream
mail servers using the stolen credentials...thus mail will hit your
infrastructure from hundreds (if not thousands) of valid mailers for which
the miscreants have one or more stolen SMTP credentials...creates a major
filtering problem.
Can anyone that is being impacted by this contact me by phone as I'm trying
to mitigate as best I can w/o taking this host down.
They are using an automated exploit kit that uses the Horde Help Module
vulnerability to compromise the servers where the smssender kit is dropped
on. They have already moved from 3 different servers in the last few days,
so blowing up this current server isn't like to accomplish much other than
losing the monitoring capability I've established.
Regards,
Lawrence Baldwin
myNetWatchman.com
Atlanta, GA
+1.678.624.0924
---------------
Received: from localhost.localdomain ([216.55.159.120]) by mail.wph.com with
Mic
rosoft SMTPSVC(6.0.3790.3959);
Thu, 13 Mar 2008 14:44:50 -0400
From: security at botc.com
To: <5417709507 at xxxxx>
Subject: ALERT
Content-type: text/plain; charset=us-ascii
Return-Path: lisa at wph.com
Message-ID: <WPHAVLDC2iwb4dZpD4500006667 at mail.wph.com>
X-OriginalArrivalTime: 13 Mar 2008 18:44:50.0222 (UTC)
FILETIME=[51835CE0:01C885
3A]
Date: 13 Mar 2008 14:44:50 -0400
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.000.1023-15782.002
X-TM-AS-Result: No-3.279000-8.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
Your Bank of the Cascades account is closed due to unusual activity,call us
at 8
187486172
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list