[nsp-sec] Credential dropbox at AS 5413 ??

RuthAnne Bevier ruthanne at caltech.edu
Wed Sep 16 15:04:02 EDT 2009 

Fwiw, this site evidently has been a drop box since at least 24
August 2009 (.net and .com both resolve to the same IP address currently). 

Here is a message our users received at the time (unfortunately I
don't have full headers for this):

> From: IT Service Center <qyhe at hku.hk>
> Date: August 24, 2009 3:37:39 PM PDT
> To: undisclosed-recipients:;
> Subject: Mailbox quota exceeded!!!
> Reply-To: kelvin_nice143 at hotmail.com
>
> IT Service,
>
> You have exceeded the limit of your mailbox set by your IT
> service, and you will be having problems in sending and recieving  
> mails.
> To prevent this, please click on the link below to reset your
> account.
>
> http://www.updateserver2009.net
>
> Failure to do this, will result in limited access to your mailbox.
>
> Warning!!! Do not send your username and password via email.
>
> Regards,
> IT Service.
>


      --RuthAnne


On Tue, Sep 15, 2009 at 10:49:06PM -0400, Gabriel Iovino wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> I had a trusted source tell me that they have seen several phishing
> emails with a phishing form dropbox at:
> 
> hxxp://www.updateserver2009.com
> 
> (Online as of 10:45 PM EDT)
> 
> This person says they are having trouble getting anyone to respond to
> their take down requests.
> 
> Unfortunately I do not have any example emails but looking at the web
> page, it is not a big leap to say this is probably a phishing dropbox.
> 
> Do we have any contacts at AS 5413 that could investigate and if it is
> indeed a phishing drobox get this taken down?
> 
> *****
> 
> > whois updateserver2009.com
> > 
> > Whois Server Version 2.0
> > 
> > Domain names in the .com and .net domains can now be registered
> > with many different competing registrars. Go to http://www.internic.net
> > for detailed information.
> > 
> >    Domain Name: UPDATESERVER2009.COM
> >    Registrar: TUCOWS INC.
> >    Whois Server: whois.tucows.com
> >    Referral URL: http://domainhelp.opensrs.net
> >    Name Server: NS.123-REG.CO.UK
> >    Name Server: NS2.123-REG.CO.UK
> >    Status: clientTransferProhibited
> >    Status: clientUpdateProhibited
> >    Updated Date: 23-aug-2009
> >    Creation Date: 23-aug-2009
> >    Expiration Date: 23-aug-2010
> > 
> >>>> Last update of whois database: Wed, 16 Sep 2009 02:41:51 UTC <<<
> 
> *****
> 
> > dig www.updateserver2009.com
> > 
> > ; <<>> DiG 9.5.1-P3 <<>> www.updateserver2009.com
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14993
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;www.updateserver2009.com.      IN      A
> > 
> > ;; ANSWER SECTION:
> > www.updateserver2009.com. 86137 IN      A       194.154.164.82
> > 
> > ;; Query time: 61 msec
> > ;; SERVER: x.x.x.x#53(x.x.x.x)
> > ;; WHEN: Tue Sep 15 22:38:11 2009
> > ;; MSG SIZE  rcvd: 58
> 
> *****
> 
> > whois -h whois.cymru.com 194.154.164.82
> > AS      | IP               | AS Name
> > 5413    | 194.154.164.82   | AS5413 GX Networks
> 
> *****
> 
> > whois -h peer.whois.cymru.com 194.154.164.82
> > PEER_AS | IP               | AS Name
> > 1299    | 194.154.164.82   | TELIANET TeliaNet Global Network
> > 3356    | 194.154.164.82   | LEVEL3 Level 3 Communications
> > 10310   | 194.154.164.82   | YAHOO-1 - Yahoo!
> > 15606   | 194.154.164.82   | NASK-TRANSIT NASK Transit AS
> 
> *****
> 
> Thank you
> 
> Gabe
> 
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkqwUiIACgkQwqygxIz+pTsGEQCgwlTovr63C4qMbZ+36NeEG43T
> fAQAoL/IL/9QX5ZG2dDoo2YcPzJ09I/G
> =9QPL
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090916/d34bc8f7/attachment-0001.sig>

More information about the nsp-security mailing list