forceadd.com.ph
goldline.org.ph
paypal-accounts.com
mte1nt.ac.cn
Now, would you believe that due to outsourcing considerations NatWest Bank are now using a Siberian ISP? Naah, in your wicked dreams only! This campaign has been going on for the last 24 hours :
natwest.com.tx49.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.tx48.hk/onlinebanking/customerform.aspx
natwest.com.tx15.hk/onlinebanking/customerform.aspx
natwest.com.tx47.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.iyeufv.org.ph/onlinebanking/customerform.aspx
natwest.com.yeufv.ph/onlinebanking/customerform.aspx
natwest.com.modifitool.kg/onlinebanking/customerform.aspx
Now, let's get back to the domain farms. The first one is located in CTS SIBERIA Complex Telematic Systems Joint Stock Company 53, Pisareva st , Novosibirsk, 630005, RUSSIA, at 81.16.131.40 and is hosting :
6584.tw
6584.tw
business-internet-banking.hsbc.com.yeufv.com.ph
hsbc.com.yeufv.com.ph
myyeufv.net.ph
polro.ph
tx49.hk
tx55.hk
yeufv.com.ph
The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 200.72.139.67, and the IP is acting as the main IP for a wide range of NS servers which further expand the domain farm. As I've already pointed out numerous times, Rock Phish is a great example of how centralization means, both, efficiency and easy of management, and an insecurity from the perspective that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish domains hosting approximately from 5 to 10 different phishing campaigns targeting different brands on a single domain. Here's another perspective on the blended threat posed by phishing emails that come with embedded banker malware, the results of which get later on aggregated in a banking malware infected botnet only. Find out more about trends and developments related to phishing in 2007 in a related article, and the Rock Phish kit in principle.
No comments:
Post a Comment