how-to block ads
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit |  USAA Bank Rock/Fast Flux Phishing scam (Creation Date)
I've been getting these USAA Bank (»www.USAA.com) phishing scams for about a week now. They combine the practice of Rock Phish ( to elude spam filters) and Fast Flux ( which prevent termination of the A Name host or server)
»en.wikipedia.org/wiki/Fast_flux
»en.wikipedia.org/wiki/Rock_Phish
My idea on dealing with these fraudulent sites is to pull the name server location out from the phishing top level domain name deilfi.com which will literally pull the rug out from the site, terminating the phishing site.
One should take notice that Creation Date ( 06-jul-2009 ,07-jul-2009) of each domain name (deilfi.com,ns1.blacklard.com, ns1.dischnk.net) which would verify that the site is is not legitimate and the name servers are supporting a fraudulent site.
This is another way to verify that the site is not the real one and in fact a phishing scam
------------------------------------------
canonical name www.usaa.com.deilfi.com.
aliases
addresses 78.157.82.12
79.172.116.65
82.13.234.255
83.1.121.47
84.121.117.57
89.32.71.227
89.78.126.49
89.115.204.29
89.151.17.160
93.103.232.126
190.100.180.34
190.142.63.74
213.63.153.60
76.101.65.160
77.111.159.239
Domain Name: DEILFI.COM
Registrar: NAMEBAY
Whois Server: whois.namebay.com
Referral URL: »www.namebay.com
Name Server: NS1.BLACKLARD.COM
Name Server: NS1.DISCHNK.NET
Status: ok
Updated Date: 07-jul-2009
Creation Date: 07-jul-2009
Expiration Date: 07-jul-2010
----------------------------------------
canonical name ns1.blacklard.com.
aliases
addresses 199.187.120.12 / Termination point
Domain Name: BLACKLARD.COM
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Whois Server: whois.directnic.com
Referral URL: »www.directnic.com
Name Server: NS0.DIRECTNIC.COM (legitimate name-server)
Name Server: NS1.DIRECTNIC.COM (legitimate name-server)
Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 07-jul-2009
Creation Date: 06-jul-2009
Expiration Date: 06-jul-2010
OrgName: Database by Design, LLC
OrgID: DBDL-2
NetRange: 199.187.120.0 - 199.187.127.255
CIDR: 199.187.120.0/21
----------------------------------------
canonical name ns1.dischnk.net.
aliases
addresses 64.111.24.229 / Termination point
Domain servers in listed order:
NS0.DIRECTNIC.COM 69.46.233.245 (legitimate name-server)
NS1.DIRECTNIC.COM 69.46.234.245 (legitimate name-server)
Updated Date: 07-jul-2009
Creation Date: 06-jul-2009
Expiration Date: 06-jul-2010
OrgName: Optimum Network Services, LLC
OrgID: ONSL
NetRange: 64.111.16.0 - 64.111.31.255
CIDR: 64.111.16.0/20
----------------------------------------
Return-Path:
Delivered-To: spamcop-net-xxxxxxxxxl@spamcop.net
Received: (qmail 30620 invoked from network); 7 Jul 2009 13:00:29 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7
X-Spam-Level: *******
X-Spam-Status: hits=7.5 tests=DOS_OE_TO_MX,HTML_MESSAGE,MIME_QP_LONG_LINE,
RDNS_NONE,SPOOF_COM2COM,URIBL_BLACK version=3.2.4
Received: from unknown (192.168.1.107)
by filter7.cesmail.net with QMQP; 7 Jul 2009 13:00:29 -0000
Received: from unknown (HELO VEMQLYBRBU) (125.177.37.54)
by mx70.cesmail.net with SMTP; 7 Jul 2009 13:00:29 -0000
Message-ID:
From: "USAA"
To:
Subject: New USAA form released Tue, 7 Jul 2009 21:59:49 +0900
Date: Tue, 7 Jul 2009 21:59:49 +0900
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C9FF02.CFD6AD20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=7
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C9FF02.CFD6AD20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To ensure delivery to your inbox, please add USAA.Web.Services@customermail=
usaa.com to your address book.
Confirmation Form=20
Online Security Guarantee=A0=A0
=A0
Dear USAA Customer,
We would like to inform you that we have released a new version of USAA Con=
firmation Form. This form is required to be completed by all USAA customers=
Please use the button below in order to access the form:
Access USAA Confrmation Form
Thank you,
USAA
=A0
=A0
=A0
Please do not reply to this e-mail. To send a secure message to USAA, pleas=
e contact us.
Privacy Promise
USAA, 9800 Fredericksburg Road, San Antonio, Texas 78288
USAA means United Services Automobile Association and its insurance, bankin=
g, investment and other companies. Banks Member FDIC. Investments provided =
by USAA Investment Management Company and USAA Financial Advisors Inc., bot=
h registered broker dealers.
"httx://www.usaa.com.deilfi.com/inet/ent_formversionnew/do_action?i=
d=3D43220395839597363296361488553079686827893033448985022289897335905801831=
0"
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»www.phishtank.com
»www.fraudwatchers.org
»mozilla.com
| |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
2 edits |  Re: quick termination of phishing site !!!
Works like a charm each and every time. This idea works when trying to get a Fast Flux Phishing site terminated off the internet.
Retrieving DNS records for www.usaa.com.deilfi.com....
Attempt to get a DNS server for www.usaa.com.deilfi.com. failed: www.usaa.com.deilfi.com. The query returned a server failure
-----------------------
Response From DirectNIC:
-----------------------
subject directNIC Trouble Ticket Has Been Responded To [ TT#1320480 ]
Thank you for using the directNIC.com Trouble Ticket System. The following response is from a qualified directNIC customer support team member:
Date: 07/07/09 01:37pm
From: ----------
The Domains related to these nameservers have been put on hold and the nameservers removed.
Thank you,
-----------------------
-------
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»www.phishtank.com
»www.fraudwatchers.org
»mozilla.com
| |
garys_2k
join:2004-05-07
Farmington, MI | reply to antiphishing
Re: USAA Bank Rock/Fast Flux Phishing scam (Creation Date)
Great idea! | |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
3 edits | said by garys_2k  :Great idea! This is advanced education in phishing site termination. You can can report each and every A Name ( which in the above case is 15 zombie machine locations) but these IP Numbers are dynamic and are much harder to terminate because many are not internet locations in the United States . It's easier to terminate at the Name-Server location because the IP Numbers associated with the canonical name (reverse DNS) doesn't change.
I might want to add here is that the name-servers can also support multiple phishing sites so by terminating in this way , it can disrupt the phisher mans game plan big time. 
----
Took down another name-server location !!!
Retrieving DNS records for www.usaa.com.iljihli.com.mx....
Attempt to get a DNS server for www.usaa.com.iljihli.com.mx. failed: www.usaa.com.iljihli.com.mx. The query returned a server failure
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»www.phishtank.com
»www.fraudwatchers.org
»mozilla.com
| |
-
|
