[nsp-sec] DDoS target intel/info request.

Mon Dec 19 23:53:36 EST 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies I totally missed the "etrade" part when I looked at this email
earlier. I sent the following to AFP (based on email to another list -
which also corresponds with the data Rob already shared):

They are being targeted by Dirt Jumper. Just got a new C2 in this AM and
noticed the following (GMT timestamp of when we first brought this C2
online: 20111219200830):

https://invest.etrade.com.au/Help/Context.aspx?key=Transfering%20Money%20%28Withdrawals%20%26%20Deposits%29
https://invest.etrade.com.au/AccountServices/AccountDetails/default.aspx
https://invest.etrade.com.au/ProductsAndTools/Default.aspx
https://etrade.com.au
https://invest.etrade.com.au/Login.aspx
https://invest.etrade.com.au/InvestmentProducts/ManagedFunds/Default.aspx

C2: sadasdnwqjrrww.net

My guess is, the actors have a number of popped AU based eTrade accounts
and are going to be setting up some Wire/ACH payments outbound (if they
haven't done so already).

For completeness, full target list:

01|255|60http://www.inthemoneystocks.com/intra-day-stock-chat
http://www.inthemoneystocks.com/research-center
http://www.inthemoneystocks.com/education/trading-a-investing-dvds
http://www.inthemoneystocks.com/
http://www.inthemoneystocks.com/traders-life-247
http://www.xib.com.cn/english/sub4-1.htm
http://www.xib.com.cn/english/sub3-1.htm
http://www.xib.com.cn/english/sub1-1.htm
http://www.xib.com.cn/
http://www.xib.com.cn/english/sub7-1.htm
https://invest.etrade.com.au/Help/Context.aspx?key=Transfering%20Money%20%28Withdrawals%20%26%20Deposits%29
https://invest.etrade.com.au/AccountServices/AccountDetails/default.aspx
https://invest.etrade.com.au/ProductsAndTools/Default.aspx
https://etrade.com.au
https://invest.etrade.com.au/Login.aspx
https://invest.etrade.com.au/InvestmentProducts/ManagedFunds/Default.aspx
http://www.fundsfocus.com.au/newsletter/2011february/newsletter10.html
http://www.fundsfocus.com.au/newsletter/2011february/newsletter2.html
http://www.fundsfocus.com.au/
http://www.fundsfocus.com.au/newsletter/2011february/newsletter7.html
http://www.fundsfocus.com.au/superannuation/
http://www.fundsfocus.com.au/newsletter/June2008/
http://www.hobbymoon.com/nitromodels/onroad
http://www.hobbymoon.com/
http://www.hobbymoon.com/rc/onroad
http://www.hobbymoon.com/models/onroad
http://www.hobbymoon.com/airplane/lanyu-epo-corsair-f4u-4-channels-rc-plane-kit-version_0074087
http://www.emall.sg/redirect.php?action=prod_url&goto=www.dreamwardrobe.com.sg/product_info.php?products_id=418&products_id=5050
http://www.emall.sg/
http://www.emall.sg/redirect.php?action=prod_url&goto=www.beautybistro.com/product_info.php?products_id=276&products_id=3096
http://www.emall.sg/advanced_search_result.php?search_in_description=1&keywords=Klarie&x=0&y=0
http://www.emall.sg/a-la-mode-ave-p-6170.html
http://www.sgbuyonline.com/blog-shops/530-baby-hip-hugger-singapore
http://www.sgbuyonline.com/directory/tag/category/jewelry
http://www.sgbuyonline.com/images/stories/jreviews/tn/tn_291_list__DSC04448l_1293088106.jpg
http://www.sgbuyonline.com/
http://www.sgbuyonline.com/blog-shops/187-cozyio-toys-educational-toys

Nick

On 12/19/2011 09:57 PM, Saunders, D'Wayne S wrote:
> ----------- nsp-security Confidential --------
> 
> Rob,
> 	Thanks for the Data.
> 
> Scott I will pass this data on to the relevant people.
> 
> 
> 
> 
> 
> D'Wayne Saunders
> Security Technologies  |  Security Operations  |  NITO
> 
> P  +61 3 86475889  |  M  +61 412 832 322 |  E
> dwayne.saunders at team.telstra.com
> 
> 
> This communication may contain confidential or copyright information of
> Telstra Corporation Limited (ABN 33 051 775 556).
> If you are not an intended recipient, you must not keep, forward, copy,
> use, save or rely on this communication, and any such
> action is unauthorised and prohibited. If you have received this
> communication in error, please reply to this email to notify the
> sender of its incorrect delivery, and then delete both it and your reply.
> 
> 
> 
> 
> 
> On 20/12/11 8:32 AM, "Rob Thomas" <robt at cymru.com> wrote:
> 
>> 195.3.147.30
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk7wFNAACgkQi10dJIBjZIBjjACcDZn9r1LRRUb53mBORysS7u5u
Fv4AnAmqFYRUVAtZvwf3ZIO5za14Ln3C
=viXR
-----END PGP SIGNATURE-----