bobbear Posted November 29, 2005 Share Posted November 29, 2005 I'm being swamped by dozens of phishing scams a day, all of which direct the victim to different pages on this site, depending on the bank being phished: http:// 218.28.165.168:680/rock/l/ [This one's for Lloyd's] http:// 61.111.155.76:680/rock/h/ [This one's for Halifax] http:// 211.176.150.192:680/rock/Isa/ [This one's for Barclays] and so on - the criminal seems to be hitting loads of different banks at once. I haven't been able to derive a registrar for the sites involved, perhaps there isn't one as I do not recognise the construction of the IP - presumable 680 is a port on the various servers. The location of the server is no problem, CNC group, Shinbiro etc, but I cannot identify a site. Can someone explain what is going on here, please? Link to comment Share on other sites More sharing options...
Jeff G. Posted November 29, 2005 Share Posted November 29, 2005 This spammer is using domain-free URLs - that is, asking the recipient to browse to a specific port at an IP Address, rather than to a named server. The good news: hopefully, recipients of this spam will be less likely to click on such URLs than normal URLs; also, those of you with access to routing tables can block this spammer's sites directly. Link to comment Share on other sites More sharing options...
bobbear Posted November 29, 2005 Author Share Posted November 29, 2005 This spammer is using domain-free URLs - that is, asking the recipient to browse to a specific port at an IP Address, rather than to a named server. The good news: hopefully, recipients of this spam will be less likely to click on such URLs than normal URLs; also, those of you with access to routing tables can block this spammer's sites directly. 36898[/snapback] Thanks Jeff - that makes sense. It's the first time I've come across those. So there's no way to get any whois data apart from that of the host IP itself? Why would a recipient be less likely to click on such a URL? Unfortunately the above URL's are just the href for a bogus bank site gif in the usual way. The displayed link text is spoofed to a bank url in the usual way also so when you hover on the gif you see what seems to be a good bank URL and only see the real URL when the address bar appears, but by then you are on the site. This is one clever and prolific criminal. Link to comment Share on other sites More sharing options...
Wazoo Posted November 29, 2005 Share Posted November 29, 2005 Thanks Jeff - that makes sense. It's the first time I've come across those. So there's no way to get any whois data apart from that of the host IP itself? I had just addressed this "port" addressing in a response to Port Scan ... Sure, you can do a WHOIS on the IP, but in all likelyhodd, you're probably going to see that this is one of those that the IP address of the "hosting site" changes every few minutes .. leading one to the issue tha a complaint to the ISP involved wil probably result in "nothing found" at the time of an abuse-desk check. Why would a recipient be less likely to click on such a URL? Change that to a "clueful" recipient. Unfortunately the above URL's are just the href for a bogus bank site gif in the usual way. The displayed link text is spoofed to a bank url in the usual way also so when you hover on the gif you see what seems to be a good bank URL Spoofing of the address bar contents has (allegedly) been patched in current versions of (mainstream) browsers ... are you up to date? and only see the real URL when the address bar appears, but by then you are on the site. This is one clever and prolific criminal. 36901[/snapback] "Clever" in the way that various old exploits and user ignorance are used as the basic premise in getting the click-throughs ...??? I have other personal words for these types of activites. Link to comment Share on other sites More sharing options...
bobbear Posted November 30, 2005 Author Share Posted November 30, 2005 Change that to a "clueful" recipient. A 'clueful' recipient wouldn't click on any of these scams!... Spoofing of the address bar contents has (allegedly) been patched in current versions of (mainstream) browsers ... are you up to date? I'm using Firefox 1.0.7. - I may be wrong, but I don't think it is the old 'spoofing' exploit - this is the relevant HTML from this mornings latest offering= <html><p><font face="Arial"><A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0"><area coords="0, 0, 593, 300" shape="rect" href="http://61.111.155.63:680/rock/h/"></map><img SRC="cid:part1.04000805.06080607[at]anti-fraud.ref.num86235[at]halifax.co.uk" border="0" usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFF6">Is it serious? I advise you Ramadan in 1850 I am </font></p></html> Hovering over the gif image this code defines shows the link as: https:// www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk but of course the criminal's real link is: http:// 61.111.155.63:680/rock/h/ (both 'gapped' to make them unclickable). I have other personal words for these types of activites. I'd certainly agree with that, but how the hell can anyone get at this guy?.... P.S. noticed the '[at]'s in the above code are automatically replaced with [at]'s - nice one...(missed that one, mind you.... ) Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 30, 2005 Share Posted November 30, 2005 Hovering over the gif image this code defines shows the link as: https:// www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk but of course the criminal's real link is: http:// 61.111.155.63:680/rock/h/ 36939[/snapback] Creating an htm file out of your example, the most recent version of IE presents the http:// 61.111.155.63:680/rock/h/ when hovering over the (non-existant) gif. Link to comment Share on other sites More sharing options...
bobbear Posted November 30, 2005 Author Share Posted November 30, 2005 Just to make it clear, (as I stupidly referred to Firefox earlier on - still half asleep, I think!), the spoofed Halifax link appears in the bottom status bar of OE6, (v. 6.00.2800.1123), when hovering over the email gif in the preview pane. When you then click on the gif, that spoofed Halifax link in the status bar immediately changes to the real link and it is that real link that is transferred to the browser, (FF - 1.5 now), address bar in a new window. It looks like a 'shortcoming' in OE6. I wonder if Thunderbird behaves in the same way? I hope that makes more sense! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 30, 2005 Share Posted November 30, 2005 It looks like a 'shortcoming' in OE6. I wonder if Thunderbird behaves in the same way? I hope that makes more sense! 36949[/snapback] That would make more sense from a spammers and firefox POV. I don't use OE and am not an html person enough to determine why OE shows the first link in the status bar. As I stated, IE shows the IP link. Link to comment Share on other sites More sharing options...
justauser Posted November 30, 2005 Share Posted November 30, 2005 I don't use OE and am not an html person enough to determine why OE shows the first link in the status bar. As I stated, IE shows the IP link.36957[/snapback] It is probably because OE uses the faulty notion of areas mapped within an image overriding the image's href for clicking but not hovering purposes. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.