[nsp-sec] Fast Fluxing Phish Nameservers
Tim Wilde
twilde at cymru.com
Wed Sep 2 15:17:00 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Everyone!
FYI, the same four nameservers seem be be in play on all of the recent
heavily-spammed fast-fluxing phishing sites that have been going around
lately:
upgrade-accounts.com. 172800 IN NS ns1.my-toshi-dns.com.
upgrade-accounts.com. 172800 IN NS ns2.my-toshi-dns.com.
upgrade-accounts.com. 172800 IN NS ns3.my-toshi-dns.com.
upgrade-accounts.com. 172800 IN NS ns4.my-toshi-dns.com.
These have also been seen on account-verifications.com,
alliance-leicester???.com (where the ??? are three digits, a bunch of
variations), verification-processing.com, and at least one other one
that I can't remember right now.
The A records for these NSes themselves show some signs that they may be
fluxing (albeit somewhat slowly due to glue) and being periodically shut
down, but if you have the capability to sink DNS names in your
infrastructure, sinking these four hosts might save your customers from
a lot of phish hassle. I do not see any non-phish names using these
NSes in our passive DNS data for the past month.
Regards,
Tim Wilde
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqexKwACgkQluRbRini9tg0/wCfewCnM3Dwayj6yvML/EiX0CuM
8tUAnRR0OrgbQonftfHMflC0w//bZG8m
=liyV
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list