Ambitious bank phishing

[rconner]

Got a couple of these this evening, here's the tracking link for the latest.

The phisher's URL is, of course, disguised as the bank's (ally.com) via "prepended subdomain." It is on a botnet, with about 15 addresses currently and a TTL of about 15min or so. There are 4 name servers at 3 different IPs, they seem to be bots as well. The domain name was registered just today with namebay.com, registrant data looks a little fishy but seems to point to the Miami area. I have LARTed namebay via their website.

Professionals at work.

-- rick

[Geek]

Hmmm, that "njhyu.net" has been the root of a recent mega Ebay phishing scam too.

[Farelf]

Hmmm, that "njhyu.net" has been the root of a recent mega Ebay phishing scam too.

And the other 'alphabet soup' domain (jghtyu.com) with similar botnet hosting you showed in http://www.spamcop.net/sc?id=z3132540596z1...4e0a6c47721416z in another topic is from the same registrar.

Heck, I wonder if namebay.com is actually cheaper than the Chinese bulk-registration industry these days? That was about 13 cents per domain, last time I looked, IIRC. The good news is they may be much better than the Chinese (were) at pulling rogues - jghtyu.com (at least) is gone, defunct, no longer with us or, to quote Mr. Praline: -

'E's not pinin'! 'E's passed on! This parrot is no more! He has ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff! Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the perch 'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory! 'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-PARROT!!'.

In a word it is 'dead'.

[rconner]

Progress report: "NJHYU.NET" is now NXDOMAIN as of this afternoon.

Sometimes people do listen (although I wouldn't presume that they were listening to me).

-- rick