[nsp-sec] Yahoo phising account

Joel Rosenblatt joel at columbia.edu
Fri May 23 14:46:25 EDT 2008 

Hi,

I'm checking my mail system now for bounces from this list, but I never saw the email with the question in it .. Seth - did you not send this through the NSP 
list - we are filtering this phishing stuff very aggressively, but stuff from NSP passes through unfiltered.

Thanks,
Joel

--On Friday, May 23, 2008 12:05 AM -0400 Seth Hall <seth at net.ohio-state.edu> wrote:

>
> On May 22, 2008, at 5:46 PM, Smith, Donald wrote:
>
>> Joel were the compromised accounts being exploited from 196.207.3.10?
>> We have seen that ip abusing the drake webmail service to send spam
>> that
>> matches Serge's spam.
>
> We've been seeing that one since the 17th.  The user-agent we saw for it was:
>    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Avant Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; Tablet PC 2.0)
>
> Here are the addresses we've seen the attackers come from with the associated browser user-agents we've seen if I logged it (multiple user agents are
> separated with pipes):
> 162.114.40.32
> 196.207.0.227	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)
> 196.207.10.102
> 196.207.15.10
> 196.207.15.201	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Avant Browser) "
> 203.55.231.100
> 209.59.56.0		Opera/9.22 (Windows NT 5.1; U; en)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
> 3.0.04506.30)
> 211.3.203.107	Opera/9.25 (Windows NT 5.1; U; en)
> 213.160.129.51	Opera/9.25 (Windows NT 5.1; U; en)
> 213.185.118.201
> 217.21.79.166
> 38.99.101.129
> 38.99.101.130
> 38.99.101.132
> 41.204.224.37	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> 41.204.224.39	Opera/9.20 (Windows NT 6.0; U; en)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
> 3.0.04506; Crazy Browser 2.0.1)|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14|Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 1.0.5; Acoo Browser)|Opera/9.25 (Windows NT 5.1; U; en)
> 41.204.224.41	
> 41.211.246.2
> 41.220.70.3		Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Acoo Browser)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
> Crazy Browser 3.0.0 Beta2)|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.0; en) Opera 8.51|Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.13)
> Gecko/20080311 Firefox/2.0.0.13
> 41.249.33.142
> 58.97.1.24		
> 64.214.231.140
> 64.72.85.62
> 65.98.28.226
> 74.85.13.51		
> 74.85.13.60		Opera/9.21 (Windows NT 5.1; U; en);afcid=Wea289eb35e42ade541968291f83df1b3|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; Seekmo 10.0.406.0; .NET CLR 2.0.50727; FDM);afcid=Wea289eb35e42ade541968291f83df1b3
> 77.73.186.83
> 80.78.18.18
> 80.88.133.12
> 80.89.176.35
> 81.199.149.88
> 81.199.176.221	Opera/9.25 (Windows NT 5.1; U; en)|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)
> 81.199.176.222
> 81.199.177.14
> 81.199.62.48
> 81.199.63.41
> 81.199.63.42	Opera/9.25 (Windows NT 5.1; U; en)
> 81.199.63.44
> 81.199.63.45	Opera/9.26 (Windows NT 5.1; U; en)|Opera/9.25 (Windows NT 5.1; U; en)
> 81.199.63.46	Opera/9.10 (Windows NT 5.1; U; en)|Opera/9.26 (Windows NT 5.1; U; en)|Opera/9.25 (Windows NT 5.1; U; en)|Opera/9.24 (Windows NT 5.1; U;
> en)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FDM)
> 81.199.63.51
> 81.199.84.146
> 81.199.88.131
> 81.199.88.8		
> 81.199.89.49
> 86.96.226.15
>
> Now, here's where it gets interesting.  I started logging http headers that would indicate if the remote host is a proxy a while ago and it turns out that a
> number of these addresses are actually proxies (or at least were at the time)...
>
> 41.204.224.41  Via: 1.1 netcacheus (NetCache NetApp/6.0.4)
> 81.199.88.8  Via: 1.1 proxy:3124 (squid/2.5.STABLE11)
> 81.199.63.42  Via: 1.1 proxy:8080 (squid/2.5.STABLE11)
> 81.199.63.51  Via: 1.1 proxy:8080 (squid/2.5.STABLE11)
> 212.100.250.230  Via: 1.1 nickel.onspeed.com:3128 (squid/2.6.STABLE18)
> 162.114.40.32  Via: 1.0 NC6200-2 (NetCache NetApp/6.0.5DEBUG4)
> 148.233.159.58  Via: 1.0 cache-mex-roma-2 (NetCache NetApp/5.6.2)
>
> Even more interesting than that though, is the one address which didn't identify itself as a proxy.  The attackers would use to login to the account first,
> then we'd see multiple logins from other addresses that did indicate themselves as proxies.  If anyone has visibility on it, it might be worthwhile to poke
> around at 74.85.13.60 and find out what else it's up to.
>
> 32035   | 74.85.13.60      | US | arin     | CCDT-AS - Telekenex
>
>    .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
>
>
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list