[nsp-sec] [FICORA #541034] Nordea phishing sites
Jussi Eronen
juhani.eronen at ficora.fi
Fri Sep 9 12:13:44 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
We are seeing phishing emails sent targeted at Nordea, a big Nordic
bank. This campaign seems to have started earlier today. The spammed
links include:
hxxp://solo1.nordea-fi.com/nspi/?engine?usecase=menu&command
hxxp://solo1.nordea-fis.com/nspi/?engine?usecase=menu&command
solo1.nordea-fi.com has address 88.191.36.45
solo1.nordea-fis.com has address 88.191.36.45
They're actually wildcard domains:
xxx.nordea-fi.com has address 88.191.36.45
xxx.nordea-fis.com has address 88.191.36.45
The name server is:
ns1.nordea-fi.com has address 203.146.251.8
ns2.nordea-fi.com has address 203.146.251.8
AS | IP | CC | AS Name
12322 | 88.191.36.45 | FR | PROXAD Free SAS
9891 | 203.146.251.8 | TH | CSLOX-IDC-AS-AP CS LOXINFO Public
Company Limited.
Any help in taking these domains and servers down is really appreciated.
We have contacted the respective ISP:s and CERTs, but as we do not
really have any special contacts, anything you can do to expedite
takedown and investigation would be great.
Whois results for the domains are identical:
Tech Name............ Arthur Williams
Tech Address......... lake tarson 41
Tech Address.........
Tech Address......... new york city
Tech Address......... 90121
Tech Address......... NY
Tech Address......... UNITED STATES
Tech Email........... sir.arthur999 at hotmail.com
Tech Phone........... +1.802716100
Tech Fax.............
Name Server.......... ns2.nordea-fi.com
Name Server.......... ns1.nordea-fi.com
Tech Name............ Arthur Williams
Tech Address......... lake tarson 41
Tech Address.........
Tech Address......... new york city
Tech Address......... 90121
Tech Address......... NY
Tech Address......... UNITED STATES
Tech Email........... sir.arthur999 at hotmail.com
Tech Phone........... +1.802716100
Tech Fax.............
Name Server.......... ns2.nordea-fis.com
Name Server.......... ns1.nordea-fis.com
Passive DNS results indicate that the domain has been used for various
scams in the past:
2009-09-03 14:39:54 2010-09-14 01:55:40
stats.watta.co.th A 203.146.251.8
2011-09-08 16:16:56 2011-09-08 16:16:56
ns1.westernuniona.com A 203.146.251.8
2011-09-08 16:16:56 2011-09-08 16:16:56
ns2.westernuniona.com A 203.146.251.8
2011-07-13 13:46:39 2011-07-13 13:46:40
ns1.google-uc.com A 203.146.251.8
2011-07-13 13:46:39 2011-07-13 13:46:40
ns2.google-uc.com A 203.146.251.8
2011-09-07 16:47:26 2011-09-07 16:47:26
ns1.google-lid.com A 203.146.251.8
2011-09-07 16:47:26 2011-09-07 16:47:26
ns2.google-lid.com A 203.146.251.8
2010-05-07 10:56:50 2011-01-30 13:31:46
www.joeannbrandname.com A 203.146.251.8
2011-08-02 06:04:34 2011-08-02 06:04:34
ns1.google-jg.com A 203.146.251.8
2011-08-02 06:04:34 2011-08-02 06:04:34
ns2.google-jg.com A 203.146.251.8
2011-08-29 03:47:28 2011-08-30 07:11:22
ns1.paypal-fpi.com A 203.146.251.8
2011-08-29 03:47:28 2011-08-30 07:11:22
ns2.paypal-fpi.com A 203.146.251.8
2011-08-27 09:49:32 2011-08-27 09:49:32
ns1.paypal-aui.com A 203.146.251.8
2011-08-27 09:49:32 2011-08-27 09:49:32
ns2.paypal-aui.com A 203.146.251.8
2010-06-21 15:17:44 2010-06-21 15:20:31
adwords.google-lj.com A 203.146.251.8
2011-08-02 16:23:07 2011-08-04 17:23:07
ns1.google-pj.com A 203.146.251.8
2011-08-02 16:23:07 2011-08-04 17:23:07
ns2.google-pj.com A 203.146.251.8
2010-12-13 22:48:17 2011-08-23 07:55:09
www.wattabook.com A 203.146.251.8
2007-09-20 09:47:48 2007-11-26 18:49:22
mail.potfool.com A 203.146.251.8
2011-08-31 23:04:43 2011-08-31 23:04:45
ns1.paypal-an.com A 203.146.251.8
2011-08-31 23:04:43 2011-08-31 23:04:45
ns2.paypal-an.com A 203.146.251.8
2011-07-23 14:25:48 2011-07-23 14:25:48
ns1.paypal-sn.com A 203.146.251.8
2011-07-23 14:25:48 2011-07-23 14:25:48
ns2.paypal-sn.com A 203.146.251.8
2011-09-06 18:23:14 2011-09-06 23:11:11
ns1.paypal-fo.com A 203.146.251.8
2011-09-06 18:23:14 2011-09-06 23:11:11
ns2.paypal-fo.com A 203.146.251.8
2011-08-26 04:23:03 2011-08-28 00:07:34
ns1.paypal-sp.com A 203.146.251.8
2011-08-26 04:23:03 2011-08-28 00:07:34
ns2.paypal-sp.com A 203.146.251.8
2011-08-30 07:06:41 2011-08-30 07:06:41
ns1.paypal-pcr.com A 203.146.251.8
2011-08-30 07:06:41 2011-08-30 07:06:41
ns2.paypal-pcr.com A 203.146.251.8
2011-07-25 15:23:12 2011-07-26 17:27:42
ns1.google-hs.com A 203.146.251.8
2011-07-25 15:23:12 2011-07-26 17:27:42
ns2.google-hs.com A 203.146.251.8
2011-09-07 13:17:57 2011-09-07 13:17:58
ns1.google-fv.com A 203.146.251.8
2011-09-07 13:17:57 2011-09-07 13:17:58
ns2.google-fv.com A 203.146.251.8
2009-05-22 13:19:11 2011-09-08 16:39:23
ns.x789x.com A 203.146.251.8
2011-09-07 17:40:32 2011-09-07 17:46:43
ns1.google-lix.com A 203.146.251.8
2011-09-07 17:40:32 2011-09-07 17:46:43
ns2.google-lix.com A 203.146.251.8
2011-08-02 09:23:22 2011-08-02 09:23:23
ns1.google-jy.com A 203.146.251.8
2011-08-02 09:23:22 2011-08-02 09:23:23
ns2.google-jy.com A 203.146.251.8
2008-12-06 20:51:21 2010-06-13 03:38:41
ejobeasy.com A 203.146.251.8
2009-10-20 15:22:03 2010-06-13 03:39:22
mail.ejobeasy.com A 203.146.251.8
2009-08-15 12:22:15 2011-06-26 03:07:57
ns.ejobeasy.com A 203.146.251.8
2008-12-17 06:45:59 2010-08-30 11:28:51
www.ejobeasy.com A 203.146.251.8
2009-05-11 15:01:07 2011-09-08 16:39:23
ns.elearneasy.com A 203.146.251.8
2008-12-06 18:53:59 2011-06-26 03:07:56
ecareasy.com A 203.146.251.8
2010-06-12 02:20:25 2010-06-12 21:16:55
mail.ecareasy.com A 203.146.251.8
2008-11-02 13:05:52 2011-07-13 08:05:45
www.ecareasy.com A 203.146.251.8
2011-07-25 18:17:00 2011-07-26 16:25:41
ns1.google-oa.net A 203.146.251.8
2011-07-25 18:17:00 2011-07-26 16:25:41
ns2.google-oa.net A 203.146.251.8
Thanks,
- -Jussi / CERT-FI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk5qOzIACgkQb5sSMzb1qN2BAQCcC1nnULfOK+E1WzdMfx5cw9m5
MiIAoIzuW7pbKU3orxlqfHnxRCAGBxiZ
=As3j
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list