[nsp-sec] EDU Phishing site

Jeff Wolfe wolfe at ems.psu.edu
Fri Jul 10 10:37:56 EDT 2009 

Hey All,

We're getting hit by a phishing run that tries to point our users to
xxxx: //psu.edu.ec-uk.org, which hosts a clone of our single sign on page.

The resulting HTML uses a simple <form> POST to send the id and password
  back to the same site.

Currently the hostname res

We're poking at gnax.net, but I was wondering if any of their upstreams
may be able to help them prioritize taking this site down.

[upstream-whois.cymru.com]
PEER_AS | IP               | AS Name
1299    | 75.127.89.94     | TELIANET TeliaNet Global Network
3356    | 75.127.89.94     | LEVEL3 Level 3 Communications
3491    | 75.127.89.94     | BTN-ASN - Beyond The Network America, Inc.
4436    | 75.127.89.94     | AS-NLAYER - nLayer Communications, Inc.
25973   | 75.127.89.94     | MZIMA - Mzima Networks, Inc.



A simple zone transfer lists a number of other potential edu targets:

ec-uk.org name server ns1.jwebvps.com.
ec-uk.org name server ns2.jwebvps.com.
ec-uk.org has address 75.127.89.94
cpanel.ec-uk.org has address 75.127.89.94
binghamton.edu.ec-uk.org has address 75.127.89.94
www.binghamton.edu.ec-uk.org has address 75.127.89.94
biola.edu.ec-uk.org has address 75.127.89.94
www.biola.edu.ec-uk.org has address 75.127.89.94
enmu.edu.ec-uk.org has address 75.127.89.94
www.enmu.edu.ec-uk.org has address 75.127.89.94
humboldt.edu.ec-uk.org has address 75.127.89.94
www.humboldt.edu.ec-uk.org has address 75.127.89.94
iu.edu.ec-uk.org has address 75.127.89.94
www.iu.edu.ec-uk.org has address 75.127.89.94
ksu.edu.ec-uk.org has address 75.127.89.94
www.ksu.edu.ec-uk.org has address 75.127.89.94
marywood.edu.ec-uk.org has address 75.127.89.94
www.marywood.edu.ec-uk.org has address 75.127.89.94
ncsu.edu.ec-uk.org has address 75.127.89.94
www.ncsu.edu.ec-uk.org has address 75.127.89.94
nmsu.edu.ec-uk.org has address 75.127.89.94
www.nmsu.edu.ec-uk.org has address 75.127.89.94
psu.edu.ec-uk.org has address 75.127.89.94
www.psu.edu.ec-uk.org has address 75.127.89.94
sju.edu.ec-uk.org has address 75.127.89.94
www.sju.edu.ec-uk.org has address 75.127.89.94
ualr.edu.ec-uk.org has address 75.127.89.94
www.ualr.edu.ec-uk.org has address 75.127.89.94
uh.edu.ec-uk.org has address 75.127.89.94
www.uh.edu.ec-uk.org has address 75.127.89.94
unm.edu.ec-uk.org has address 75.127.89.94
www.unm.edu.ec-uk.org has address 75.127.89.94
unr.edu.ec-uk.org has address 75.127.89.94
www.unr.edu.ec-uk.org has address 75.127.89.94
uwrf.edu.ec-uk.org has address 75.127.89.94
www.uwrf.edu.ec-uk.org has address 75.127.89.94
wnmu.edu.ec-uk.org has address 75.127.89.94
www.wnmu.edu.ec-uk.org has address 75.127.89.94
ftp.ec-uk.org has address 75.127.89.94
localhost.ec-uk.org has address 127.0.0.1
aston.ac.uk.ec-uk.org has address 75.127.89.94
www.aston.ac.uk.ec-uk.org has address 75.127.89.94
kcl.ac.uk.ec-uk.org has address 75.127.89.94
www.kcl.ac.uk.ec-uk.org has address 75.127.89.94
kent.ac.uk.ec-uk.org has address 75.127.89.94
www.kent.ac.uk.ec-uk.org has address 75.127.89.94
ucl.ac.uk.ec-uk.org has address 75.127.89.94
www.ucl.ac.uk.ec-uk.org has address 75.127.89.94
uwe.ac.uk.ec-uk.org has address 75.127.89.94
www.uwe.ac.uk.ec-uk.org has address 75.127.89.94
webdisk.ec-uk.org has address 75.127.89.94
webmail.ec-uk.org has address 75.127.89.94
whm.ec-uk.org has address 75.127.89.94


-JEff

--------------------------------------------------
Penn State - EMS - wolfe at ems.psu.edu

More information about the nsp-security mailing list