[nsp-sec] enom security POC?
Chris Morrow
morrowc at ops-netman.net
Tue Oct 28 01:37:17 EDT 2008
On Mon, 27 Oct 2008, Chris Morrow wrote:
> ----------- nsp-security Confidential --------
>
>
>
> On Mon, 27 Oct 2008, Nicholas Ianelli wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Oh hell no, this guy is also involved in a domain that was pushing the
>> malicious AntiVirus 2009:
>>
>> Chris Morrow wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>>
>>> looks like enom is being phished :(
>>>
>>> <snip spam content>
>>> For access your account follow this link - http://www.enom.com.sys82.net
>>> </snip spam content>
>>>
>>> something about 'we are doing maintenence...' spam sample available upon
>>> request.
>
> I have samples from today starting at:
> as701.net_20081027_111.gz
>
> 11:10am UTC ...
>
> 2736 samples actually... weee! 'prolific'.
oy! so looking for anything with enom.com, apparently I just viewed one
example enom phish domain, there were 5407 examples on the 27th of
October, with a spread on the names of:
count domain
1809 www.enom.com.sys82.net
1807 www.enom.com.com94.net
1791 www.enom.com.sys52.net
this from grepping 'enom.com' from my samples, then
grep "For access your " /tmp/enom.domains | grep -v href |\
sed 's/^.*http:\/\///' | sort | uniq -c | sort -rn | more
over that result set, I probably missd some, but weee!!! :(
-Chris
(if there's interest I can run the same grep/blah on 28th data, but ...
maybe we just ask the .net folks to kill these domains and the domains of
the NS's for these? )
More information about the nsp-security
mailing list