Bank phishing + malware site

[rconner]

Back in harness again after our SpamCop adventures over the weekend, I found what is to me a novel spam. You click on the link to go to a website (hosted on a botnet, apparently) purporting to belong to SVB bank, then you have to watch a video to find out about new "interactive windows for our clients." You're right -- the video isn't a video at all, but a suspicious .exe file.

Damn thing even tried to run itself on my Mac (much good it would have done it). Be careful, folks.

-- rick

[Farelf]

Wow, that's nasty, a definite raising of the bar (assuming the worst from the payload). Yep, looks like a botnet:

Non-authoritative answer:

Name: 3455shared.com

Addresses: 71.147.3.117, 172.130.93.159, 66.138.7.3, 69.86.171.111, 70.240.150.52

- with domain registrant protected by the good folk of Private Protection Co. LTD, Beijing and Zhuhai. More than usual effort has gone into that one, for sure. Present nameservers might be vulnerable though - visiblecorteg.com (Mike Tyson according to whois.bizcn.com)

[Lking]

Normally I don't spend much time looking at my spam or the spamvertised site in the spam. Most of the time the Subject, Sender and/or TO is enough to identify the spam and send them to SpamCop, PhishTank, KnujOn for processing. However, I have gotten two that tweaked my interest. They were "From" my bank, however not TO the email the bank knows. there was also the "hank You" at the end. The look was good.

After the second one I went back to see what the automatic processing had done and to look at the spamvertised links. I also sent copies to abuse[at]USAA

USAA customer service: service message

USAA: urgent message

During my poking around, I discovered that I don't really know how to get from a domain name to an IP that I can use in SenderBase. I tried WhoIs got me some information but not always an IP. I was trying to track down the phishing holes(?) IP but didn't get far.

Looking for today's education so I can get to bed early tonight. Any pointers to find out more about i1jjf.com or 1lili.com would be nice.

[Miss Betsy]

You must have military ties! USAA has a note mentioning the phishes on its website (the real one!) - I didn't get any (but if the USAA phisher reads the forum, maybe I will?)

I was wondering how to do that also - there is a website where you can do that, but I was too lazy to look it up this morning - and too lazy now. I spent a large part of my day looking for things so partly I am just done with looking - not one of my better skills anyway.

Miss Betsy

[rconner]

During my poking around, I discovered that I don't really know how to get from a domain name to an IP that I can use in SenderBase. I tried WhoIs got me some information but not always an IP. I was trying to track down the phishing holes(?) IP but didn't get far.

You can do this on Windows or *nix with the "nslookup" command. You have to carve out the portion of the URL that is just the hostname (i.e., between the "://" and the next "/" if any).

Also, kloth.net looks to be pretty comprehensive if you would rather use a web-based tool. There are many others. Most probably still require you to extract the host from the URL.

Bear in mind that when you find the IP address of your phish link, you are not necessarily finding the ultimate destination for the traffic, for reasons I have been at pains to explain many times in other boards on this forum. Kloth.net has a "serverinfo" that might help in spotting HTTP redirection.

Some further background on nslookup is on my website.

-- rick

[Lking]

Yes Miss B, "some" military ties. I too saw the phishing notice when paying a bill. Yes you may be inline for this spam. The original (now 3) were sent to an old email. After following the link I now have gotten a fourth spam sent to my default ISP email address.

We are now up to 4 copies of this spam, all with different spamvertised domains.

Thanks for the info Rick. After posting I did go back and read you sig and have marked you website for additional study. To paraphrase a little, 'When all else fails ... read!'

[rconner]

One more reference specific to the problem at hand: http://www.rickconner.net/spamweb/pop-find-web-owners.html.

What I will typically do is first resolve the host name to an IP address, then see to whom the IP address belongs. I'll then sometimes check the website with curl (which fetches files from websites but does not render them or run any code on them). For the record:

rconner$ nslookup www.usaa.com.i1jjf.com
Server:		10.0.1.1
Address:	10.0.1.1#53

Non-authoritative answer:
Name:	www.usaa.com.i1jjf.com
Address: 8.15.7.117
Name:	www.usaa.com.i1jjf.com
Address: 63.251.179.13

So this guy lives at two addresses (apparently).

rconner$ whois 8.15.7.117
Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1)
								  8.0.0.0 - 8.255.255.255
Co-Location.com Inc. LVLT-COLOC-1-8-15-7-96 (NET-8-15-7-96-1)
								  8.15.7.96 - 8.15.7.127

rconner$ whois 63.251.179.13
Internap Network Services Corporation NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
								  63.251.0.0 - 63.251.255.255
AllMar Networks LLC INAP-DEN-ALLMAR-29797 (NET-63-251-179-0-1)
								  63.251.179.0 - 63.251.179.63

The first is at Level 3 (the big wholesale carrier) in what looks to be a server hosting (colocation) block, the second at "AllMar Networks" (website design & hosting firm) which got its block from internap.

Finally, I "curled" this link, minus the long funny number (but won't show the printout here). It returned a 404, meaning that the page (or whatever) was not found. This is not positive proof that these guys aren't still online (I might have gotten a different result if I'd left the funny number in place), but we have the basic info we'd need to report this site: its IP addresses, and the parties who control them.

-- rick