[nsp-sec] Spearphish combined with fake website and drop box (Google + ASNs 17920 and 30083)
Keith Schoenefeld
keith at schoenefeld.org
Mon Nov 30 11:43:12 EST 2009
We are currently being targeted with a phish combined with a site that
looks like our webmail login page
(hxxp://logicaltest.com/blackberry/login.express.cites.uiuc.edu/, or
IP 203.145.40.71, AS 17920). Based on the source of that page, it
looks like it's using an unsecured form mailer on
hxxp://scripts.allafrica.co.za/formmail/mailer.asp (IP: 69.64.59.172,
AS 30083) to send an email message with the stolen credentials to the
email address: nicolassmith01 at sify.com (which appears to use google
for a mail exchanger):
dig -t mx sify.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -t mx sify.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58381
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 12
;; QUESTION SECTION:
;sify.com. IN MX
;; ANSWER SECTION:
sify.com. 86 IN MX 30 aspmx2.googlemail.com.
sify.com. 86 IN MX 30 aspmx3.googlemail.com.
sify.com. 86 IN MX 30 aspmx4.googlemail.com.
sify.com. 86 IN MX 30 aspmx5.googlemail.com.
sify.com. 86 IN MX 10 aspmx.l.google.com.
sify.com. 86 IN MX 20 alt1.aspmx.l.google.com.
sify.com. 86 IN MX 20 alt2.aspmx.l.google.com.
Any help in getting the website, or the drop box closed down would be
greatly appreciated.
-- KS
More information about the nsp-security
mailing list