[nsp-sec] Spearphish combined with fake website and drop box (Google + ASNs 17920 and 30083)

Chris Morrow morrowc at ops-netman.net
Mon Nov 30 12:41:13 EST 2009 


On Mon, 30 Nov 2009, Keith Schoenefeld wrote:

> ----------- nsp-security Confidential --------
>
> We are currently being targeted with a phish combined with a site that
> looks like our webmail login page
> (hxxp://logicaltest.com/blackberry/login.express.cites.uiuc.edu/, or
> IP 203.145.40.71, AS 17920).  Based on the source of that page, it
> looks like it's using an unsecured form mailer on
> hxxp://scripts.allafrica.co.za/formmail/mailer.asp (IP: 69.64.59.172,
> AS 30083) to send an email message with the stolen credentials to the
> email address: nicolassmith01 at sify.com (which appears to use google
> for a mail exchanger):

I think sify is an Indian ISP actually? Perhaps we(google) just provide 
their mail-infra now :( SIFY.com will have to bang on this userid though.

-chris

>
> dig -t mx sify.com
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -t mx sify.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58381
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 12
>
> ;; QUESTION SECTION:
> ;sify.com.			IN	MX
>
> ;; ANSWER SECTION:
> sify.com.		86	IN	MX	30 aspmx2.googlemail.com.
> sify.com.		86	IN	MX	30 aspmx3.googlemail.com.
> sify.com.		86	IN	MX	30 aspmx4.googlemail.com.
> sify.com.		86	IN	MX	30 aspmx5.googlemail.com.
> sify.com.		86	IN	MX	10 aspmx.l.google.com.
> sify.com.		86	IN	MX	20 alt1.aspmx.l.google.com.
> sify.com.		86	IN	MX	20 alt2.aspmx.l.google.com.
>
> Any help in getting the website, or the drop box closed down would be
> greatly appreciated.
>
> -- KS
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list