Rock phish information - dslreports.com

Author	All Replies
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	Rock phish information Subject to available time, I am planning to use this thread to list information on recently posted rock phish. The list will include the phishtracker reference number, the IP address (if available), the hostname for the phish page. The plan is to do one post of this format per day, editing that post from time to time as new samples of rock phish are submitted.
	to forum · permalink · · 2007-01-26 11:45:00 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	What's a rock phish anyway? The rock phish is a particular style of phish that is difficult to deal with. Recent phish for Fifth Third Bank are all of this form, as are some of the Bank of America phish and some eTrade phish. The phish url for a rock phish is sent in only one email message. For example, one of today's collection (phish #7559) uses http://www.53.com.portal.busid8623879.cifio.net/cbdir as the url. As you can see, the hostname includes a numeric component. The phisher modifies this number for each copy of the email sent, resulting in unique links. With this practice, the phisher avoids phish filters such as that on IE7. These phish filters use a database check to see if the phish url has already been reported. But since you are the only one receiving this url, nobody else will have reported it. Perhaps these filters should also be checking the IP address of the phish site, since phishers use only a relatively small number of IP addresses but a large number of hostnames. The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish. To create this kind of phish, the phisher registers a new domain. My guess is that it is registered from a hijacked computer, and paid for with a stolen credit card number. The phisher sets up DNS for the new domain, thus creating DNS entries for his multiple phish domain names. In the case of the sample url given above, that domain is "cifio.net". Perhaps if phish filters were to check just the base part of the domain name, that would be another way they could detect and flag a domain as a rock phish domain.
	to forum · permalink · · 2007-01-26 11:48:19 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 2 edits	reply to nwrickert Rock phish report Jan 26, 2007 Rock phish info seen so far today: 7550 211.106.229.177 www.bankofamerica.com.onlinebankingid638260419.honis.jp 7557 85.236.28.124 www.53.com.bankingportal.id97967097.ezgor.biz 7559 85.236.28.124 www.53.com.portal.busid8623879.cifio.net 7560 85.236.28.124 www.53.com.bankingportal.id2792443.orbad.biz 7564 85.236.28.124 www.bankofamerica.com.onlinebankingid3597603819.yourheter.biz 7570 85.236.28.124 www.53.com.bankingportal.id040089872.ezgor.biz 7571 85.236.28.124 www.bankofamerica.com.onlinebankingid3713517135.yourheter.biz 7583 NXDOMAIN www.53.com.bankingportal.id792344258.lrland.biz 7584 NXDOMAIN www.volksbank.de.networld.onlineid014644115.lrland.biz 7589 NXDOMAIN www.53.com.bankingportal.id48249930819.glkpro.biz
	to forum · permalink · · 2007-01-26 11:49:53 · (locked)
alien8 join:2004-03-03 UK	reply to nwrickert Re: What's a rock phish anyway? said by nwrickert : The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish Difficult, yep... but there are things "wrong" with how the phish emails are produced... that I'm not going to go into... but can be used to detect that it's a rock phish email. Look on the stats page for items labelled "Rock", showing that it can be detected... certainly using ClamAV: »sanesecurity.com/clamav/stats.htm Cheers, Steve -- Tired of spam? Grab www.spampal.org
	to forum · permalink · · 2007-01-26 13:07:37 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 2 edits	reply to nwrickert Rock phish report Jan 27, 2007 Today's rock phish info 7595 85.236.28.124 www.53.com.portal.busid746837.algxi.biz 7598 85.236.28.124 www.53.com.bankingportal.id724690112.algxi.biz 7599 85.236.28.124 www.53.com.bankingportal.id98951236412.officials2you.info 7600 85.236.28.124 www.53.com.bankingportal.id45160506973735.algxi.biz 7601 85.236.28.124 www.53.com.bankingportal.id3525021985014.officials2you.info 7602 85.236.28.124 www.53.com.bankingportal.id5248317.algxi.biz 7603 85.236.28.124 www.bankofamerica.com.onlinebankingid330369528.hotslive.biz 7604 NXDOMAIN www.53.com.bankingportal.id8384157303295.dsart.info 7605 NXDOMAIN www.bankofamerica.com.onlinebankingid01642418.goglk.biz 7608 85.236.28.124 www.53.com.bankingportal.id55157621127657.quddi.info 7612 85.236.28.124 www.53.com.bankingportal.id31440634.matgel.biz 7615 85.236.28.124 www.53.com.bankingportal.id051125998509.matgel.biz 7616 85.236.28.124 www.bankofamerica.com.onlinebankingid2637280.hotslive.biz 7619 65.33.83.30 www.53.com.bankingportal.id785769539557.justsonline.info 7628 65.33.83.30 www.53.com.bankingportal.id74596259986568.quddi.info 7630 65.33.83.30 www.53.com.bankingportal.id845605709.qote4ud.biz
	to forum · permalink · · 2007-01-27 11:33:31 · (locked)
garys_2k join:2004-05-07 Farmington, MI ·Future Nine Corpor.. ·Vonage	reply to nwrickert Re: Rock phish information Hmm, I wonder if posting one of these without scrambling the I.D. tag could lead to your email being blacklisted by a careful phish publisher. If one particular email address' phish were often killed, that could be an indication that the recipient wasn't the usual luser.
	to forum · permalink · · 2007-01-27 21:48:03 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	Interesting question. Yes, those links could be used as a kind of web bug, to track the recipient address. The phisher would have to keep records to do that tracking. It doesn't seem to be happening. People who are posting Fifth Third phish are still getting more. I see attempts to block phishtracker access to some of the web pages (which makes the link appear dead), but I haven't seen any evidence that they are actively removing phish submitters from their mailing lists.
	to forum · permalink · · 2007-01-27 21:58:30 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 2 edits	reply to nwrickert Rock phish report Jan 28, 2007 Today's rock phish (so far) 7640 85.236.28.124 www.53.com.bankingportal.id2448208045.justsonline.info 7641 85.236.28.124 www.53.com.bankingportal.id81625147703905.hotslive.biz 7642 85.236.28.124 www.53.com.bankingportal.id81626846488.qote4ud.biz 7646 85.236.28.124 www.53.com.bankingportal.id7353728206895.matgel.biz 7650 85.236.28.124 www.bankofamerica.com.onlinebankingid01304729.honis.jp 7652 85.236.28.124 www.53.com.bankingportal.id83328092.qote4ud.biz 7653 85.236.28.124 www.53.com.bankingportal.id85208107909996.innme.info
	to forum · permalink · · 2007-01-28 11:27:15 · (locked)
s0tet join:2005-06-08	reply to nwrickert Re: Rock phish information Rockphish are extremely prolific. If you check out the current phish URLs reported at »www.phishtank.com/ most of the time, they are Rockphish just as they are here in PhishTracker. The key to getting rockphish disabled is getting the domains disabled by the registrars as soon as possible as you see the rockphish use the fraudulently purchased domains for the subdomains in the phishing sites and for the nameservers.
	to forum · permalink · · 2007-01-28 19:08:55 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	It would be even better if the registrars would make it a bit harder to set up these domains in the first place. Something like a 14 day waiting period for a new domain and new customer (but no such delay for an established customer with a good record).
	to forum · permalink · · 2007-01-29 00:05:47 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	reply to nwrickert Rock phish report Jan 29, 2007 Here is the summary for phish listed today: 7667 65.33.83.30 www.53.com.bankingportal.id77261710.qote4ud.biz 7668 65.33.83.30 www.53.com.bankingportal.id902691517722.innme.info 7669 65.33.83.30 www.bankofamerica.com.onlinebankingid0460035.officials2you.info 7770 65.33.83.30 www.bankofamerica.com.onlinebankingid7575003056.justsonline.info 7671 65.33.83.30 www.53.com.bankingportal.id30283402467.qote4ud.info 7672 65.33.83.30 www.53.com.bankingportal.id1402883986754.algxi.biz 7673 65.33.83.30 www.53.com.bankingportal.id417723482.algxi.biz 7674 65.33.83.30 www.53.com.bankingportal.id174978069.hotslive.biz
	to forum · permalink · · 2007-01-29 09:47:32 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 3 edits	reply to nwrickert Rock phish report Jan 30, 2007 Rock phish seen so far today 7710 211.176.202.19 www.53.com.bankingportal.id64603188090773.0nsluogo.org 7713 211.176.202.19 www.53.com.bankingportal.id301753841286.totca.biz 7714 211.176.202.19 www.bankofamerica.com.onlinebankingid61533897.fior0.info 7715 211.176.202.19 www.53.com.bankingportal.id90028713692.0nsterra.info 7716 NXDOMAIN www.bankofamerica.com.onlinebankingid8171593782.justsonline.info 7717 211.176.202.19 www.53.com.portal.busid01528.ezgor.biz 7718 211.176.202.19 www.53.com.bankingportal.id5075400456.totca.biz 7719 NXDOMAIN www.53.com.bankingportal.id83698067.0nsluogo.org 7720 NXDOMAIN www.53.com.bankingportal.id10238058.0nsterra.info 7724 NXDOMAIN www.53.com.bankingportal.id39108707673478.0nscentro.biz 7725 221.132.85.42 www.53.com.bankingportal.id9938600108.ultratot.net 7727 NXDOMAIN www.volksbank.de.networld.onlineid89719440.officials2you.info 7737 221.132.85.42 www.53.com.bankingportal.id82170557566.htotd.info 7738 221.132.85.42 www.53.com.bankingportal.id81667074594.usetx.com 7739 221.132.85.42 www.bankofamerica.com.onlinebankingid6837929.totfit.biz 7740 221.132.85.42 www.53.com.bankingportal.id80577046.totca.biz 7752 211.176.202.19 www.53.com.portal.busid47520179.totca.biz
	to forum · permalink · · 2007-01-30 09:13:07 · (locked)
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	reply to nwrickert Re: Rock phish information said by nwrickert : It would be even better if the registrars would make it a bit harder to set up these domains in the first place. Something like a 14 day waiting period for a new domain and new customer (but no such delay for an established customer with a good record). I am surprised that something along those lines has not already been adopted due to the massive amount of fraudulent registrations. Plus, since most are registered with stolen/phished credit accounts not only does the registrar not get paid, they also get a hefty chargeback. The Rockphish group appears to go out of their way to use remote registrars that are off the beaten path, and they vary them. That tactic also makes it difficult for the registration to be revoked promptly. Recently though I noticed an increasing number of the phish submits are DOA. I am not sure whether that is due to more aggressive and timely intervention, or issues with the botnet hosting. said by garys_2k : Hmm, I wonder if posting one of these without scrambling the I.D. tag could lead to your email being blacklisted by a careful phish publisher ........ You are correct, since each link is unique they could be tracked back. However in this case the volume is so high and frequent that culling the list from phish reports is probably a waste of time. There are way too many examples of each phish out there to make that an effective tactic. Ultimately their downfall will be the fact they have made it to the top of the list by the sheer volume, frequency, and tactics, which generates a lot more scrutiny and focus than had they remained low key and "average". Their advantage and staying power has been their ability to be dynamic and adapt their technique to work around any roadblocks. Though some published reports attribute them to be Romanian phishers with complex abilities. In my opinion they and their tactics have more in common with Russian drug pill spammers. MGD
	to forum · permalink · · 2007-01-30 15:24:07 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 3 edits	reply to nwrickert Rock phish report Jan 31, 2007 Info on rock phish received today (so far) 7755 NXDOMAIN www.53.com.bankingportal.id751009233.0nscentro.biz 7757 200.87.174.82 www.bankofamerica.com.onlinebankingid593916650.usetx.com 7758 200.87.174.82 www.bankofamerica.com.onlinebankingid0025207.sintx.info 7759 NXDOMAIN www.bankofamerica.com.onlinebankingid093913805.totfit.biz 7760 NXDOMAIN www.53.com.bankingportal.id938505381.totca.biz 7761 200.87.174.82 www.53.com.portal.busid0785985.glopd.co.nz 7762 200.87.174.82 www.53.com.portal.busid71117659.ezgor.biz 7765 200.87.174.82 www.53.com.portal.busid056714.sintx.info 7766 200.87.174.82 www.53.com.portal.busid040730491.tbitx.us 7768 211.137.13.130 www.53.com.portal.busid33769266.ematx.biz 7770 85.104.120.89 www.53.com.bankingportal.id79309845.raahu.net 7772 85.104.120.89 www.53.com.bankingportal.id6805779.nsiam.biz 7773 85.104.120.89 www.53.com.bankingportal.id48967896018.glopd.co.nz 7774 85.104.120.89 www.53.com.bankingportal.id364478502.hmitx.biz 7778 85.104.120.89 www.53.com.bankingportal.id7195728673168.hunglop.biz 7779 85.104.120.89 www.bankofamerica.com.onlinebankingid81625662.glopd.co.nz 7780 85.104.120.89 www.53.com.bankingportal.id6339131768196.fg5tx.co.nz 7786 85.104.120.89 www.53.com.bankingportal.id2191585.raahu.net
	to forum · permalink · · 2007-01-31 09:50:47 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 3 edits	Here is some domain registration info for rock phish reported today: DOMAIN REGISTRAR Phish# usetx.com REGISTER.COM 7757 sintx.info Register.com 7758, 7765 glopd.co.nz Register.com 7761, 7773, 7779 ezgor.biz REGISTER.COM 7762 tbitx.us REGISTER.COM 7766 ematx.biz REGISTER.COM 7768 raahu.net THE NAME IT CORPORATION 7770 nsiam.biz REGISTER.COM 7772 hmitx.biz REGISTER.COM 7774 hunglop.biz REGISTER.COM 7778 fg5tx.co.nz Register.com 7780 NOTE to domain registrars: It is typical of rock phish, that a domain is registered for the purpose of phishing (i.e. fraud, identity theft, crime). It is very likely that the person named as domain owner is either bogus or a victim of identity theft, and it is very likely that registration fees were paid for using stolen credit cards or other stolen fund source.
	to forum · permalink · · 2007-01-31 10:16:20 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 2 edits	reply to nwrickert Rock phish report Feb 01, 2007 Rock phish seen today 7794 200.87.174.82 www.53.com.portal.busid86130416.glopd.co.nz 7795 211.176.202.19 www.53.com.bankingportal.id58194957841057.ghu34f.biz 7796 211.176.202.19 www.53.com.bankingportal.id1052967.your0ns.info 7797 211.176.202.19 www.53.com.bankingportal.id9773564072813.glopd.co.nz 7798 211.176.202.19 www.53.com.bankingportal.id1064958250.hmitx.biz 7799 NXDOMAIN www.53.com.bankingportal.id47094816062.nsiam.biz 7800 211.176.202.19 www.53.com.bankingportal.id1626717096267.ematx.biz 7801 NXDOMAIN www.53.com.bankingportal.id25981302714065.nsiam.biz 7802 211.176.202.19 www.53.com.bankingportal.id243161037.hmitx.biz 7803 211.176.202.19 www.53.com.bankingportal.id9445720034292.fg5tx.co.nz 7813 211.176.202.19 www.53.com.bankingportal.id612910080590.fg5tx.co.nz 7814 211.176.202.19 www.53.com.bankingportal.id53080722344444.raahu.net 7822 85.30.192.102 www.53.com.bankingportal.id6967915.tbitx.us 7823 NXDOMAIN www.bankofamerica.com.onlinebankingid809288684.ematx.biz 7829 85.30.192.102 www.bankofamerica.com.onlinebankingid772164634.hunglop.biz 7831 85.30.192.102 www.53.com.bankingportal.id62227210.huwin.net 7840 211.137.13.130 www.bankofamerica.com.onlinebankingid46126667.huwin.net
	to forum · permalink · · 2007-02-01 09:15:40 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 3 edits	reply to nwrickert Rock phish report Feb 02, 2007 Rock phish seen today 7847 85.105.190.151 www.53.com.bankingportal.id94077976641709.juv4lr.sa.com 7848 85.105.190.151 www.53.com.bankingportal.id869323895224.raahu.net 7850 85.105.190.151 www.53.com.bankingportal.id21484256585542.coolrag.us 7853 85.105.190.151 www.53.com.bankingportal.id33949188717143.juv4lr.sa.com 7854 220.76.90.191 online.bbandt.com.onlineservlet_id862917778.coolrag.us 7856 220.76.90.191 www.volksbank.de.networld.onlineid0598711713.juv4lr.sa.com 7857 85.105.190.151 www.53.com.bankingportal.id9184403518.huwin.net 7861 220.76.90.191 www.bankofamerica.com.onlinebankingid6755915717.juv4lr.sa.com 7863 220.76.90.191 online.bbandt.com.onlineservlet_id3899629.bitssite.biz 7870 85.104.120.89 www.53.com.portal.busid102076436.juv4lr.sa.com 7872 201.239.13.58 www.53.com.portal.busid3215853.vxvip.info 7873 201.239.13.58 www.53.com.portal.busid243642455.vxvip.info
	to forum · permalink · · 2007-02-02 11:31:52 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 2 edits	reply to nwrickert Rock phish report Feb 03, 2007 Today's rock phish info 7882 220.79.177.48 www.53.com.bankingportal.id03394641930669.k4ipa.co.nz 7883 220.79.177.48 www.53.com.bankingportal.id279161413.coolrag.us 7884 220.79.177.48 www.bankofamerica.com.onlinebankingid69003985.huwin.net 7885 220.79.177.48 online.bbandt.com.onlineservlet_id72321078.coolrag.us 7886 220.76.90.191 www.53.com.bankingportal.id1368651206429.draip.biz 7887 220.76.90.191 www.bankofamerica.com.onlinebankingid16092714.huwin.net 7901 220.76.90.191 www.bankofamerica.com.onlinebankingid0496014865.k4ipa.co.nz
	to forum · permalink · · 2007-02-03 11:30:32 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 4 edits	reply to nwrickert Rock phish report Feb 04, 2007 Rock phish seen thus far today: 7909 211.176.202.19 www.53.com.bankingportal.id36543146.bitssite.biz 7910 211.176.202.19 www.53.com.bankingportal.id377244301.vxvip.info 7911 85.30.192.102 www.53.com.bankingportal.id23220463340279.juv4lr.sa.com 7912 211.176.202.19 www.53.com.bankingportal.id63453301970658.vxvip.info 7913 211.176.202.19 www.53.com.bankingportal.id370295700.k4ipa.co.nz 7914 211.176.202.19 www.53.com.bankingportal.id26212770.draip.biz 7915 211.176.202.19 www.53.com.bankingportal.id16211302.coolrag.us 7916 211.176.202.19 www.53.com.bankingportal.id56036542872463.draip.biz 7922 211.176.202.19 www.53.com.portal.busid492294.trish.co.nz 7931 220.76.90.191 www.53.com.bankingportal.id01934854369.raahu.net 7934 220.76.90.191 online.bbandt.com.onlineservlet_id1649347.mody0.info 7935 220.76.90.191 www.bankofamerica.com.onlinebankingid21265311.mody0.info 7937 220.76.90.191 www.53.com.bankingportal.id5346996270608.bitssite.biz 7941 85.105.190.151 www.53.com.bankingportal.id7961524.mody0.info 7943 221.136.70.13 online.bbandt.com.onlineservlet_id71965261.mody0.info 7944 221.136.70.13 www.bankofamerica.com.onlinebankingid48729749.bitssite.biz
	to forum · permalink · · 2007-02-04 09:45:54 · (locked)
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 3 edits	reply to nwrickert Rock phish report Feb 05, 2007 We have seen these rock phish today (so far) 7948 201.239.13.58 online.bbandt.com.onlineservlet_id773493577.bitssite.biz 7957 201.239.13.58 www.53.com.bankingportal.id0760863017.k4ipa.co.nz 7958 201.239.13.58 www.53.com.portal.busid094169.mody0.info 7959 85.30.192.102 www.53.com.portal.busid534417.coolrag.us 7960 85.30.192.102 www.bankofamerica.com.onlinebankingid1722205220.huwin.net 7961 NXDOMAIN www.53.com.bankingportal.id9142201070268.ipgin.us 7962 85.30.192.102 www.53.com.bankingportal.id821693697.huwin.net 7963 221.143.234.16 www.53.com.portal.busid02386.mylk4uw.at 7964 221.143.234.16 www.bankofamerica.com.onlinebankingid8320955344.bitssite.biz 7965 221.143.234.16 www.53.com.bankingportal.id88590413592.coolrag.us 7966 221.143.234.16 www.53.com.portal.busid99322.huwin.net 7968 NXDOMAIN www.53.com.portal.busid73028.k4ipa.co.nz 7969 221.143.234.16 www.53.com.bankingportal.id4280070634.mody0.info 7970 85.30.192.102 www.53.com.portal.busid52355416.coolrag.us 7971 NXDOMAIN online.bbandt.com.onlineservlet_id6236374.draip.biz 7975 221.143.234.16 www.53.com.bankingportal.id0191883875.raahu.net 7987 201.239.13.58 www.53.com.portal.busid15744.raggaj.co.nz 7988 201.239.13.58 www.53.com.portal.busid72281779.razamuz.info 7996 201.239.13.58 www.53.com.portal.busid9666259.ragill.net 7998 201.239.13.58 www.53.com.bankingportal.id529079699.erstesrz.biz 7999 201.239.13.58 www.53.com.bankingportal.id9226653637376.0nssite.info 8000 201.239.13.58 www.53.com.bankingportal.id2876217888249.raahu.net 8001 201.239.13.58 www.53.com.bankingportal.id9045519.raggaj.co.nz 8002 NXDOMAIN www.bankofamerica.com.onlinebankingid4205984.lk4uw.at 8003 201.239.13.58 www.bankofamerica.com.onlinebankingid91502264.raggaj.co.nz 8004 201.239.13.58 www.53.com.bankingportal.id376961494.raggaj.co.nz 8005 201.239.13.58 www.53.com.bankingportal.id4595989.your0ns.info 8006 201.239.13.58 www.53.com.bankingportal.id24328170428.raggaj.co.nz
	to forum · permalink · · 2007-02-05 11:22:25 · (locked)


Sunday, 08-Nov 12:17:11	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF