[nsp-sec] 94 Spam Bots Exploiting Phished Mail Accounts

Gerry Sneeringer sneeri at umd.edu
Tue Nov 17 17:30:34 EST 2009 

A phishing run against University of Maryland staff involving a well made knock-off of the campus webmail portal reaped a bumper crop this week.  The following IP addresses were successful in authenticating using stolen credentials and transmitting additional phishing messages.  The times referenced (GMT) reflect the first (of many in some cases) instance in which the credentials were used by the IP address.  Most of the transmitted phish messages claimed to be from the director of the FBI regarding lottery winnings.

1241    | 193.92.234.160   | Nov 16 18:12:26 | FORTHNET-GR FORTHnet
3209    | 88.70.167.21     | Nov 17 13:36:12 | VODANET International IP-Backbone of Vodafone
3209    | 92.77.254.244    | Nov 17 10:12:01 | VODANET International IP-Backbone of Vodafone
3462    | 122.123.132.145  | Nov 17 14:39:21 | HINET Data Communication Business Group
3462    | 218.162.111.209  | Nov 17 14:49:37 | HINET Data Communication Business Group
3462    | 218.164.9.141    | Nov 17 08:36:12 | HINET Data Communication Business Group
4134    | 113.66.123.211   | Nov 17 12:16:23 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 116.53.213.225   | Nov 17 08:23:37 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 121.236.103.153  | Nov 17 08:37:38 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 219.133.68.159   | Nov 17 09:30:25 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.54.58.235     | Nov 17 09:27:22 | CHINANET-BACKBONE No.31,Jin-rong Street
4808    | 123.116.84.153   | Nov 17 08:25:07 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4808    | 124.64.91.182    | Nov 17 08:25:48 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4837    | 119.183.182.246  | Nov 17 08:29:41 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 119.183.235.13   | Nov 17 08:23:55 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 119.4.224.144    | Nov 17 08:25:39 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 221.211.233.119  | Nov 17 08:55:24 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.52.102.24     | Nov 17 09:27:44 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4847    | 115.170.127.136  | Nov 17 08:24:00 | CNIX-AP China Networks Inter-Exchange
5089    | 81.97.220.226    | Nov 17 10:57:13 | NTL NTL Group Limited
5089    | 82.25.153.40     | Nov 17 10:38:10 | NTL NTL Group Limited
5089    | 82.4.126.78      | Nov 17 11:00:00 | NTL NTL Group Limited
5089    | 86.20.49.4       | Nov 17 14:07:45 | NTL NTL Group Limited
5089    | 92.238.115.30    | Nov 17 14:31:52 | NTL NTL Group Limited
6730    | 194.230.220.125  | Nov 17 14:26:47 | SUNRISE sunrise (TDC Switzerland AG)
6799    | 85.73.178.101    | Nov 16 19:02:51 | OTENET-GR OTEnet S.A. Multiprotocol Backbone & ISP
6805    | 217.185.64.37    | Nov 17 07:51:48 | TDDE-ASN1 Telefonica Deutschland Autonomous System
6830    | 84.115.132.147   | Nov 17 14:05:19 | UPC UPC Broadband
6849    | 95.134.90.203    | Nov 17 12:17:43 | UKRTELNET JSC UKRTELECOM,
7015    | 71.233.176.232   | Nov 17 07:50:49 | COMCAST-7015 - Comcast Cable Communications Holdings, Inc
7016    | 76.26.84.117     | Nov 17 07:54:20 | CCCH-3 - Comcast Cable Communications Holdings, Inc
7132    | 75.44.239.56     | Nov 17 09:17:21 | SBIS-AS - AT&T Internet Services
7265    | 216.47.220.249   | Nov 17 09:35:58 | GRACEBA - Graceba Total Communications, Inc.
7725    | 67.166.209.249   | Nov 16 18:33:20 | COMCAST-7725 - Comcast Cable Communications Holdings, Inc
8359    | 91.77.107.129    | Nov 17 14:49:52 | COMSTAR COMSTAR-Direct global network
9680    | 218.162.111.209  | Nov 17 14:49:37 | HINETUSA HiNet Service Center in U.S.A
9829    | 117.204.164.212  | Nov 17 09:27:09 | BSNL-NIB National Internet Backbone
9829    | 117.204.91.107   | Nov 17 09:27:36 | BSNL-NIB National Internet Backbone
9829    | 117.242.144.244  | Nov 17 11:55:11 | BSNL-NIB National Internet Backbone
9829    | 117.254.243.182  | Nov 17 14:49:49 | BSNL-NIB National Internet Backbone
9829    | 59.92.191.246    | Nov 17 09:27:47 | BSNL-NIB National Internet Backbone
9829    | 59.98.164.60     | Nov 17 12:16:20 | BSNL-NIB National Internet Backbone
9829    | 59.99.108.202    | Nov 17 14:51:02 | BSNL-NIB National Internet Backbone
9829    | 59.99.161.242    | Nov 17 14:43:49 | BSNL-NIB National Internet Backbone
10620   | 190.146.160.149  | Nov 17 14:43:49 | TV Cable S.A.
10994   | 72.184.78.5      | Nov 17 07:50:58 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
12262   | 174.101.216.135  | Nov 17 07:56:15 | RR-CINCINNATI-ASN-01 - Road Runner HoldCo LLC
12430   | 77.208.1.73      | Nov 17 10:25:00 | VODAFONE_ES VODAFONE ES AS
12705   | 188.16.90.7      | Nov 17 11:54:18 | PFES OJSC _Uralsviazinform_
13184   | 78.51.177.40     | Nov 17 09:23:20 | HANSENET HanseNet Telekommunikation GmbH
13184   | 85.180.141.102   | Nov 17 12:50:52 | HANSENET HanseNet Telekommunikation GmbH
17672   | 123.181.183.180  | Nov 17 08:26:30 | CHINATELECOM-HE-AS-AP asn for Hebei Provincial Net of CT
17803   | 115.184.120.169  | Nov 17 11:55:52 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.184.120.169  | Nov 17 12:17:07 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.184.16.29    | Nov 17 12:16:38 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.240.121.33   | Nov 17 11:58:28 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.240.125.143  | Nov 17 11:54:16 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.240.13.253   | Nov 17 09:28:44 | BSES-AS-AP BSES TeleCom Limited
17803   | 115.240.56.219   | Nov 17 08:30:05 | BSES-AS-AP BSES TeleCom Limited
17816   | 58.252.246.245   | Nov 17 14:40:24 | CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN
17908   | 121.247.94.53    | Nov 17 09:27:21 | TCISL Tata Communications
18101   | 115.184.198.211  | Nov 17 11:55:16 | RIL-IDC Reliance Infocom Ltd Internet Data Centre,
18101   | 115.240.167.189  | Nov 17 08:36:09 | RIL-IDC Reliance Infocom Ltd Internet Data Centre,
19090   | 189.55.4.215     | Nov 16 18:45:03 | Canbras Net Ltda.
20115   | 24.217.131.114   | Nov 17 07:57:15 | CHARTER-NET-HKY-NC - Charter Communications
21378   | 80.246.75.42     | Nov 16 18:33:36 | CTCTVER JSC _CenterTelecom_ Tver branch
21378   | 80.246.75.42     | Nov 16 18:33:36 | CTCTVER JSC _CenterTelecom_ Tver branch
21502   | 85.68.207.227    | Nov 17 07:54:03 | ASN-NUMERICABLE
21844   | 67.19.126.164    | Nov 17 08:25:12 | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
22085   | 187.24.150.145   | Nov 17 14:49:35 | Telet S.A.
23860   | 115.187.45.18    | Nov 16 18:47:04 | ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. 
23860   | 115.187.46.218   | Nov 17 11:54:05 | ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt.
24634   | 195.112.211.101  | Nov 17 10:44:09 | CYBERIA-AS Cyberia
25490   | 85.172.22.40     | Nov 17 11:56:46 | STC-AS Southen Telecommunication Autonomous Systems
26599   | 189.97.250.5     | Nov 17 11:54:28 | Telesp Celular S.A.
27699   | 189.18.174.9     | Nov 17 12:40:45 | TELECOMUNICACOES DE SAO PAULO S/A - TELESP
27699   | 201.13.100.55    | Nov 17 14:43:49 | TELECOMUNICACOES DE SAO PAULO S/A - TELESP
27699   | 201.43.94.61     | Nov 17 12:24:48 | TELECOMUNICACOES DE SAO PAULO S/A - TELESP
28719   | 188.16.170.7     | Nov 17 14:43:49 | HMFES OJSC _Uralsviazinform_
29780   | 74.199.110.72    | Nov 17 14:48:42 | WOW-INTERNET-CLV - WideOpenWest Finance LLC
33287   | 68.82.183.140    | Nov 17 07:48:53 | COMCAST-33287 - Comcast Cable Communications, Inc.
33287   | 76.98.138.11     | Nov 17 07:53:49 | COMCAST-33287 - Comcast Cable Communications, Inc.
33491   | 24.14.173.10     | Nov 17 12:53:47 | COMCAST-33491 - Comcast Cable Communications, Inc.
33651   | 67.187.147.110   | Nov 17 07:47:42 | CMCS - Comcast Cable Communications, Inc.
33651   | 71.198.67.163    | Nov 17 07:46:51 | CMCS - Comcast Cable Communications, Inc.
33776   | 41.219.216.56    | Nov 17 16:59:49 | STARCOMMS-ASN
34038   | 87.254.147.71    | Nov 17 14:41:21 | COMTEL-TMN-AS AS for Comtel Tyumen
36727   | 96.28.210.147    | Nov 17 07:49:52 | INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT COMMUNICATIONS COMPANY, L.P.
40307   | 75.107.225.90    | Nov 16 18:37:10 | WB - Wildblue Communications, Inc.
42439   | 85.239.212.239   | Nov 17 09:22:28 | BASA Banda Ancha AS
42896   | 91.205.217.10    | Nov 17 11:54:56 | ACS-AS ACS-Group Autonomous System
43234   | 92.11.152.117    | Nov 17 10:38:17 | CPWBBSERV-AS Carphone Warehouse Broadband Services
46844   | 208.98.62.107    | Nov 17 07:48:45 | ST-BGP - SHARKTECH INTERNET SERVICES
46844   | 208.98.62.113    | Nov 17 07:54:58 | ST-BGP - SHARKTECH INTERNET SERVICES

Gerry Sneeringer
IT Security Officer
University of Maryland
+1 301 405 2996

More information about the nsp-security mailing list