[nsp-sec] server-vonage.com
Rob Thomas
robt at cymru.com
Mon Aug 17 15:43:40 EDT 2009
Hi, Michael.
> Looks like server-vonage.com pretty much exists solely as a phishing
> drop (see attached email--be careful with the links). The site is still
> up with a scraped version of the Vonage login page.
Hey hey hey, don't sell 'em short! :) They've also hosted plenty of
malware URLs, all dating back to at least 2009-04-04 05:05:52 UTC. We
have 226 incidents, mostly malware URLs, pointed to 194.154.164.103 in 2009.
It appears to be a Linux box running Apache and PHP 5.2.2.
We see 308 DNS RRs pointed to 194.154.164.103 this month. Some of our
faves include:
stamp | qname | class |
type | rdata
--------------------- ------------------------------------- -------
------ -----------------
[ ... ]
2009-08-05 01:30:24 | online1-service.biz | IN | A
| 194.154.164.103
2009-08-03 19:23:52 | online-bancafideuram.com | IN | A
| 194.154.164.103
[ ... ]
2009-08-04 00:07:47 | paypal-pagine.com | IN | A
| 194.154.164.103
2009-08-02 23:30:13 | paypal-secure-it.com | IN | A
| 194.154.164.103
2009-08-04 04:00:20 | personalebaysecure.com | IN | A
| 194.154.164.103
[ ... ]
2009-08-04 10:00:48 | www.123money.co.uk | IN | A
| 194.154.164.103
[ ... ]
2009-08-10 14:58:56 | www.anabolicmuscles.co.uk | IN | A
| 194.154.164.103
[ ... ]
2009-08-03 10:55:50 | www.eurocrime.co.uk | IN | A
| 194.154.164.103
[ ... ]
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list