[nsp-sec] Spearphish combined with fake website and drop box(Google + ASNs 17920 and 30083)

Shelton, Steve sshelton at Cogentco.com
Mon Nov 30 13:29:37 EST 2009 

Keith,

The site appears to be down, hopefully stays that way.  I sent a notice
downstream at Mon 11/30/2009 10:09 AM.

Currently showing 404 | URL /blackberry/login.express.cites.uiuc.edu/
was not found on this server.

--- 11/30/09 11:28:58 Mountain Standard Time
--- reading URL logicaltest.com/blackberry/login.express.cites.uiuc.edu/
--- contacting host logicaltest.com [203.145.40.71] on port 80

HTTP/1.1 404 Not Found

Note: I have yet to receive a formal response from out downstream as of
yet.

Steve Shelton
Security Engineer
Cogent Communications

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Keith
Schoenefeld
Sent: Monday, November 30, 2009 9:43 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Spearphish combined with fake website and drop
box(Google + ASNs 17920 and 30083)

----------- nsp-security Confidential --------

We are currently being targeted with a phish combined with a site that
looks like our webmail login page
(hxxp://logicaltest.com/blackberry/login.express.cites.uiuc.edu/, or
IP 203.145.40.71, AS 17920).  Based on the source of that page, it
looks like it's using an unsecured form mailer on
hxxp://scripts.allafrica.co.za/formmail/mailer.asp (IP: 69.64.59.172,
AS 30083) to send an email message with the stolen credentials to the
email address: nicolassmith01 at sify.com (which appears to use google
for a mail exchanger):

dig -t mx sify.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -t mx sify.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58381
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 12

;; QUESTION SECTION:
;sify.com.			IN	MX

;; ANSWER SECTION:
sify.com.		86	IN	MX	30
aspmx2.googlemail.com.
sify.com.		86	IN	MX	30
aspmx3.googlemail.com.
sify.com.		86	IN	MX	30
aspmx4.googlemail.com.
sify.com.		86	IN	MX	30
aspmx5.googlemail.com.
sify.com.		86	IN	MX	10 aspmx.l.google.com.
sify.com.		86	IN	MX	20
alt1.aspmx.l.google.com.
sify.com.		86	IN	MX	20
alt2.aspmx.l.google.com.

Any help in getting the website, or the drop box closed down would be
greatly appreciated.

-- KS


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list