[nsp-sec] [FICORA #541034] Nordea phishing sites

Christoph Sprongl ch at it-austria.net
Fri Sep 9 13:25:36 EDT 2011 

Jussi, submit URL to http://www.phishtank.com/ - that helps a lot normally.

cheers,
ch

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> We are seeing phishing emails sent targeted at Nordea, a big Nordic
> bank. This campaign seems to have started earlier today. The spammed
> links include:
>
> hxxp://solo1.nordea-fi.com/nspi/?engine?usecase=menu&command
> hxxp://solo1.nordea-fis.com/nspi/?engine?usecase=menu&command
>
> solo1.nordea-fi.com has address 88.191.36.45
> solo1.nordea-fis.com has address 88.191.36.45
>
> They're actually wildcard domains:
>
> xxx.nordea-fi.com has address 88.191.36.45
> xxx.nordea-fis.com has address 88.191.36.45
>
> The name server is:
>
> ns1.nordea-fi.com has address 203.146.251.8
> ns2.nordea-fi.com has address 203.146.251.8
>
> AS      | IP               | CC | AS Name
> 12322   | 88.191.36.45     | FR | PROXAD Free SAS
> 9891    | 203.146.251.8    | TH | CSLOX-IDC-AS-AP CS LOXINFO Public
> Company Limited.
>
> Any help in taking these domains and servers down is really appreciated.
> We have contacted the respective ISP:s and CERTs, but as we do not
> really have any special contacts, anything you can do to expedite
> takedown and investigation would be great.
>
> Whois results for the domains are identical:
>
> Tech Name............ Arthur Williams
>   Tech Address......... lake tarson 41
>   Tech Address.........
>   Tech Address......... new york city
>   Tech Address......... 90121
>   Tech Address......... NY
>   Tech Address......... UNITED STATES
>   Tech Email........... sir.arthur999 at hotmail.com
>   Tech Phone........... +1.802716100
>   Tech Fax.............
>   Name Server.......... ns2.nordea-fi.com
>   Name Server.......... ns1.nordea-fi.com
>
> Tech Name............ Arthur Williams
>   Tech Address......... lake tarson 41
>   Tech Address.........
>   Tech Address......... new york city
>   Tech Address......... 90121
>   Tech Address......... NY
>   Tech Address......... UNITED STATES
>   Tech Email........... sir.arthur999 at hotmail.com
>   Tech Phone........... +1.802716100
>   Tech Fax.............
>   Name Server.......... ns2.nordea-fis.com
>   Name Server.......... ns1.nordea-fis.com
>
> Passive DNS results indicate that the domain has been used for various
> scams in the past:
>
> 2009-09-03 14:39:54     2010-09-14 01:55:40
> stats.watta.co.th       A      203.146.251.8
> 2011-09-08 16:16:56     2011-09-08 16:16:56
> ns1.westernuniona.com   A      203.146.251.8
> 2011-09-08 16:16:56     2011-09-08 16:16:56
> ns2.westernuniona.com   A      203.146.251.8
> 2011-07-13 13:46:39     2011-07-13 13:46:40
> ns1.google-uc.com       A      203.146.251.8
> 2011-07-13 13:46:39     2011-07-13 13:46:40
> ns2.google-uc.com       A      203.146.251.8
> 2011-09-07 16:47:26     2011-09-07 16:47:26
> ns1.google-lid.com      A      203.146.251.8
> 2011-09-07 16:47:26     2011-09-07 16:47:26
> ns2.google-lid.com      A      203.146.251.8
> 2010-05-07 10:56:50     2011-01-30 13:31:46
> www.joeannbrandname.com A      203.146.251.8
> 2011-08-02 06:04:34     2011-08-02 06:04:34
> ns1.google-jg.com       A      203.146.251.8
> 2011-08-02 06:04:34     2011-08-02 06:04:34
> ns2.google-jg.com       A      203.146.251.8
> 2011-08-29 03:47:28     2011-08-30 07:11:22
> ns1.paypal-fpi.com      A      203.146.251.8
> 2011-08-29 03:47:28     2011-08-30 07:11:22
> ns2.paypal-fpi.com      A      203.146.251.8
> 2011-08-27 09:49:32     2011-08-27 09:49:32
> ns1.paypal-aui.com      A      203.146.251.8
> 2011-08-27 09:49:32     2011-08-27 09:49:32
> ns2.paypal-aui.com      A      203.146.251.8
> 2010-06-21 15:17:44     2010-06-21 15:20:31
> adwords.google-lj.com   A      203.146.251.8
> 2011-08-02 16:23:07     2011-08-04 17:23:07
> ns1.google-pj.com       A      203.146.251.8
> 2011-08-02 16:23:07     2011-08-04 17:23:07
> ns2.google-pj.com       A      203.146.251.8
> 2010-12-13 22:48:17     2011-08-23 07:55:09
> www.wattabook.com       A      203.146.251.8
> 2007-09-20 09:47:48     2007-11-26 18:49:22
> mail.potfool.com        A      203.146.251.8
> 2011-08-31 23:04:43     2011-08-31 23:04:45
> ns1.paypal-an.com       A      203.146.251.8
> 2011-08-31 23:04:43     2011-08-31 23:04:45
> ns2.paypal-an.com       A      203.146.251.8
> 2011-07-23 14:25:48     2011-07-23 14:25:48
> ns1.paypal-sn.com       A      203.146.251.8
> 2011-07-23 14:25:48     2011-07-23 14:25:48
> ns2.paypal-sn.com       A      203.146.251.8
> 2011-09-06 18:23:14     2011-09-06 23:11:11
> ns1.paypal-fo.com       A      203.146.251.8
> 2011-09-06 18:23:14     2011-09-06 23:11:11
> ns2.paypal-fo.com       A      203.146.251.8
> 2011-08-26 04:23:03     2011-08-28 00:07:34
> ns1.paypal-sp.com       A      203.146.251.8
> 2011-08-26 04:23:03     2011-08-28 00:07:34
> ns2.paypal-sp.com       A      203.146.251.8
> 2011-08-30 07:06:41     2011-08-30 07:06:41
> ns1.paypal-pcr.com      A      203.146.251.8
> 2011-08-30 07:06:41     2011-08-30 07:06:41
> ns2.paypal-pcr.com      A      203.146.251.8
> 2011-07-25 15:23:12     2011-07-26 17:27:42
> ns1.google-hs.com       A      203.146.251.8
> 2011-07-25 15:23:12     2011-07-26 17:27:42
> ns2.google-hs.com       A      203.146.251.8
> 2011-09-07 13:17:57     2011-09-07 13:17:58
> ns1.google-fv.com       A      203.146.251.8
> 2011-09-07 13:17:57     2011-09-07 13:17:58
> ns2.google-fv.com       A      203.146.251.8
> 2009-05-22 13:19:11     2011-09-08 16:39:23
> ns.x789x.com    A       203.146.251.8
> 2011-09-07 17:40:32     2011-09-07 17:46:43
> ns1.google-lix.com      A      203.146.251.8
> 2011-09-07 17:40:32     2011-09-07 17:46:43
> ns2.google-lix.com      A      203.146.251.8
> 2011-08-02 09:23:22     2011-08-02 09:23:23
> ns1.google-jy.com       A      203.146.251.8
> 2011-08-02 09:23:22     2011-08-02 09:23:23
> ns2.google-jy.com       A      203.146.251.8
> 2008-12-06 20:51:21     2010-06-13 03:38:41
> ejobeasy.com    A       203.146.251.8
> 2009-10-20 15:22:03     2010-06-13 03:39:22
> mail.ejobeasy.com       A      203.146.251.8
> 2009-08-15 12:22:15     2011-06-26 03:07:57
> ns.ejobeasy.com A       203.146.251.8
> 2008-12-17 06:45:59     2010-08-30 11:28:51
> www.ejobeasy.com        A      203.146.251.8
> 2009-05-11 15:01:07     2011-09-08 16:39:23
> ns.elearneasy.com       A      203.146.251.8
> 2008-12-06 18:53:59     2011-06-26 03:07:56
> ecareasy.com    A       203.146.251.8
> 2010-06-12 02:20:25     2010-06-12 21:16:55
> mail.ecareasy.com       A      203.146.251.8
> 2008-11-02 13:05:52     2011-07-13 08:05:45
> www.ecareasy.com        A      203.146.251.8
> 2011-07-25 18:17:00     2011-07-26 16:25:41
> ns1.google-oa.net       A      203.146.251.8
> 2011-07-25 18:17:00     2011-07-26 16:25:41
> ns2.google-oa.net       A      203.146.251.8
>
> Thanks,
>
> - -Jussi / CERT-FI
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk5qOzIACgkQb5sSMzb1qN2BAQCcC1nnULfOK+E1WzdMfx5cw9m5
> MiIAoIzuW7pbKU3orxlqfHnxRCAGBxiZ
> =As3j
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>

More information about the nsp-security mailing list