Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Spam, Scam and Phishbusters » Rock phish information
Uniqs:
7097		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
Certegy data theft »
« [Scam] Is this site a scam?  
page: 1 · 2 · 3 · 4 ...8 · 9 · 10

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

Rock phish information

Subject to available time, I am planning to use this thread to list information on recently posted rock phish. The list will include the phishtracker reference number, the IP address (if available), the hostname for the phish page.

The plan is to do one post of this format per day, editing that post from time to time as new samples of rock phish are submitted.
permalink · 2007-01-26 11:45:00 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

What's a rock phish anyway?

The rock phish is a particular style of phish that is difficult to deal with. Recent phish for Fifth Third Bank are all of this form, as are some of the Bank of America phish and some eTrade phish.

The phish url for a rock phish is sent in only one email message. For example, one of today's collection (phish #7559) uses
http://www.53.com.portal.busid8623879.cifio.net/cbdir
as the url. As you can see, the hostname includes a numeric component. The phisher modifies this number for each copy of the email sent, resulting in unique links.

With this practice, the phisher avoids phish filters such as that on IE7. These phish filters use a database check to see if the phish url has already been reported. But since you are the only one receiving this url, nobody else will have reported it. Perhaps these filters should also be checking the IP address of the phish site, since phishers use only a relatively small number of IP addresses but a large number of hostnames.

The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish.

To create this kind of phish, the phisher registers a new domain. My guess is that it is registered from a hijacked computer, and paid for with a stolen credit card number. The phisher sets up DNS for the new domain, thus creating DNS entries for his multiple phish domain names. In the case of the sample url given above, that domain is "cifio.net". Perhaps if phish filters were to check just the base part of the domain name, that would be another way they could detect and flag a domain as a rock phish domain.
permalink · 2007-01-26 11:48:19 · Print ·
alien8

join:2004-03-03
UK

Re: What's a rock phish anyway?

said by nwrickert See Profile :

The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish
Difficult, yep... but there are things "wrong" with how the phish emails are produced... that I'm not going to go into... but can be used to detect that it's a rock phish email.

Look on the stats page for items labelled "Rock", showing that it can be detected... certainly using ClamAV:

»sanesecurity.com/clamav/stats.htm

Cheers,

Steve
--
Tired of spam? Grab www.spampal.org
permalink · 2007-01-26 13:07:37 · Print ·

SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..

Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
said by nwrickert See Profile :

The rock phish is a particular style of phish that is difficult to deal with.
...With this practice, the phisher avoids phish filters such as that on IE7. These phish filters use a database check to see if the phish url has already been reported.
I believe that IE7 also uses some primitive heuristics to flag "suspected" phish sites (orange address bar).

How hard can it really be??

A Rock phish URL is more probable...

•The longer the host name is.
• if the host name contains more than 2-3 periods.
• if substring ".com" is not followed by "/" (not at end of host name).
• (Matches above rules and contains typical phish fragments ("paypal", ".53.", "bbt", etc.)) ... probably not even needed.
• etc.

How many legitimate sites would produce a false positive in this test? Really?
permalink · 2007-05-08 12:59:27 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

Re: What's a rock phish anyway?

I believe that IE7 also uses some primitive heuristics to flag "suspected" phish sites (orange address bar).
That matches my experience. Yet I just brought up the phish page for phish #11054, and IE7 didn't flag it, nor suggest that it could be a phish. I do have IE7 configured to check.
How hard can it really be?
I would not have thought it particularly hard. But then I'm not a Microsoft designer or programmer, so what would I know?

In addition to the indicators you mention, the presence of a form with a password (masked input) on the page should be one of the hints.

The trouble with heuristics, is that to change them you have to release a new version of IE7 and persuade people to update to it. As long as IE7 is mostly relying on contacting an online database, the better approach would be to modify the database lookup strategy. For some kinds of phish, they should block all urls that use a particular domain name. That would take care of rockphish.

The database backend could use heuristics to identify rockphish. If a phish uses a domain name that was registered very recently, the chances are that the domain name was registered with the intent of phishing. The presence of a wildcard A or CNAME record in DNS further increases the likelihood that this is a phishing domain. All urls for such a domain should be flagged as probable phish, unless some human intervention overrides this.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10
permalink · 2007-05-08 13:43:23 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Jan 26, 2007

Rock phish info seen so far today:
7550 211.106.229.177    www.bankofamerica.com.onlinebankingid638260419.honis.jp
7557 85.236.28.124      www.53.com.bankingportal.id97967097.ezgor.biz
7559 85.236.28.124      www.53.com.portal.busid8623879.cifio.net
7560 85.236.28.124      www.53.com.bankingportal.id2792443.orbad.biz
7564 85.236.28.124      www.bankofamerica.com.onlinebankingid3597603819.yourheter.biz
7570 85.236.28.124      www.53.com.bankingportal.id040089872.ezgor.biz
7571 85.236.28.124      www.bankofamerica.com.onlinebankingid3713517135.yourheter.biz
7583 NXDOMAIN           www.53.com.bankingportal.id792344258.lrland.biz
7584 NXDOMAIN           www.volksbank.de.networld.onlineid014644115.lrland.biz
7589 NXDOMAIN           www.53.com.bankingportal.id48249930819.glkpro.biz
permalink · 2007-01-26 11:49:53 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Jan 27, 2007

Today's rock phish info
7595 85.236.28.124      www.53.com.portal.busid746837.algxi.biz
7598 85.236.28.124      www.53.com.bankingportal.id724690112.algxi.biz
7599 85.236.28.124      www.53.com.bankingportal.id98951236412.officials2you.info
7600 85.236.28.124      www.53.com.bankingportal.id45160506973735.algxi.biz
7601 85.236.28.124      www.53.com.bankingportal.id3525021985014.officials2you.info
7602 85.236.28.124      www.53.com.bankingportal.id5248317.algxi.biz
7603 85.236.28.124      www.bankofamerica.com.onlinebankingid330369528.hotslive.biz
7604 NXDOMAIN           www.53.com.bankingportal.id8384157303295.dsart.info
7605 NXDOMAIN           www.bankofamerica.com.onlinebankingid01642418.goglk.biz
7608 85.236.28.124      www.53.com.bankingportal.id55157621127657.quddi.info
7612 85.236.28.124      www.53.com.bankingportal.id31440634.matgel.biz
7615 85.236.28.124      www.53.com.bankingportal.id051125998509.matgel.biz
7616 85.236.28.124      www.bankofamerica.com.onlinebankingid2637280.hotslive.biz
7619 65.33.83.30        www.53.com.bankingportal.id785769539557.justsonline.info
7628 65.33.83.30        www.53.com.bankingportal.id74596259986568.quddi.info
7630 65.33.83.30        www.53.com.bankingportal.id845605709.qote4ud.biz
permalink · 2007-01-27 11:33:31 · Print ·
garys_2k

join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage

Re: Rock phish information

Hmm, I wonder if posting one of these without scrambling the I.D. tag could lead to your email being blacklisted by a careful phish publisher. If one particular email address' phish were often killed, that could be an indication that the recipient wasn't the usual luser.
permalink · 2007-01-27 21:48:03 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

Re: Rock phish information

Interesting question. Yes, those links could be used as a kind of web bug, to track the recipient address. The phisher would have to keep records to do that tracking.

It doesn't seem to be happening. People who are posting Fifth Third phish are still getting more. I see attempts to block phishtracker access to some of the web pages (which makes the link appear dead), but I haven't seen any evidence that they are actively removing phish submitters from their mailing lists.
permalink · 2007-01-27 21:58:30 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Jan 28, 2007

Today's rock phish (so far)
7640 85.236.28.124      www.53.com.bankingportal.id2448208045.justsonline.info
7641 85.236.28.124      www.53.com.bankingportal.id81625147703905.hotslive.biz
7642 85.236.28.124      www.53.com.bankingportal.id81626846488.qote4ud.biz
7646 85.236.28.124      www.53.com.bankingportal.id7353728206895.matgel.biz
7650 85.236.28.124      www.bankofamerica.com.onlinebankingid01304729.honis.jp
7652 85.236.28.124      www.53.com.bankingportal.id83328092.qote4ud.biz
7653 85.236.28.124      www.53.com.bankingportal.id85208107909996.innme.info
permalink · 2007-01-28 11:27:15 · Print ·

s0tet

join:2005-06-08

Re: Rock phish information

Rockphish are extremely prolific. If you check out the current phish URLs reported at »www.phishtank.com/ most of the time, they are Rockphish just as they are here in PhishTracker.


The key to getting rockphish disabled is getting the domains disabled by the registrars as soon as possible as you see the rockphish use the fraudulently purchased domains for the subdomains in the phishing sites and for the nameservers.
permalink · 2007-01-28 19:08:55 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

Re: Rock phish information

It would be even better if the registrars would make it a bit harder to set up these domains in the first place. Something like a 14 day waiting period for a new domain and new customer (but no such delay for an established customer with a good record).
permalink · 2007-01-29 00:05:47 ·
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

Re: Rock phish information

said by nwrickert See Profile :

It would be even better if the registrars would make it a bit harder to set up these domains in the first place. Something like a 14 day waiting period for a new domain and new customer (but no such delay for an established customer with a good record).
I am surprised that something along those lines has not already been adopted due to the massive amount of fraudulent registrations. Plus, since most are registered with stolen/phished credit accounts not only does the registrar not get paid, they also get a hefty chargeback.

The Rockphish group appears to go out of their way to use remote registrars that are off the beaten path, and they vary them. That tactic also makes it difficult for the registration to be revoked promptly.

Recently though I noticed an increasing number of the phish submits are DOA. I am not sure whether that is due to more aggressive and timely intervention, or issues with the botnet hosting.

said by garys_2k See Profile :

Hmm, I wonder if posting one of these without scrambling the I.D. tag could lead to your email being blacklisted by a careful phish publisher ........
You are correct, since each link is unique they could be tracked back. However in this case the volume is so high and frequent that culling the list from phish reports is probably a waste of time. There are way too many examples of each phish out there to make that an effective tactic.

Ultimately their downfall will be the fact they have made it to the top of the list by the sheer volume, frequency, and tactics, which generates a lot more scrutiny and focus than had they remained low key and "average".

Their advantage and staying power has been their ability to be dynamic and adapt their technique to work around any roadblocks.

Though some published reports attribute them to be Romanian phishers with complex abilities. In my opinion they and their tactics have more in common with Russian drug pill spammers.

MGD
permalink · 2007-01-30 15:24:07 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

Rock phish report Jan 29, 2007

Here is the summary for phish listed today:
7667 65.33.83.30        www.53.com.bankingportal.id77261710.qote4ud.biz
7668 65.33.83.30        www.53.com.bankingportal.id902691517722.innme.info
7669 65.33.83.30        www.bankofamerica.com.onlinebankingid0460035.officials2you.info
7770 65.33.83.30        www.bankofamerica.com.onlinebankingid7575003056.justsonline.info
7671 65.33.83.30        www.53.com.bankingportal.id30283402467.qote4ud.info
7672 65.33.83.30        www.53.com.bankingportal.id1402883986754.algxi.biz
7673 65.33.83.30        www.53.com.bankingportal.id417723482.algxi.biz
7674 65.33.83.30        www.53.com.bankingportal.id174978069.hotslive.biz
permalink · 2007-01-29 09:47:32 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Jan 30, 2007

Rock phish seen so far today
7710 211.176.202.19     www.53.com.bankingportal.id64603188090773.0nsluogo.org
7713 211.176.202.19     www.53.com.bankingportal.id301753841286.totca.biz
7714 211.176.202.19     www.bankofamerica.com.onlinebankingid61533897.fior0.info
7715 211.176.202.19     www.53.com.bankingportal.id90028713692.0nsterra.info
7716 NXDOMAIN           www.bankofamerica.com.onlinebankingid8171593782.justsonline.info
7717 211.176.202.19     www.53.com.portal.busid01528.ezgor.biz
7718 211.176.202.19     www.53.com.bankingportal.id5075400456.totca.biz
7719 NXDOMAIN           www.53.com.bankingportal.id83698067.0nsluogo.org
7720 NXDOMAIN           www.53.com.bankingportal.id10238058.0nsterra.info
7724 NXDOMAIN           www.53.com.bankingportal.id39108707673478.0nscentro.biz
7725 221.132.85.42      www.53.com.bankingportal.id9938600108.ultratot.net
7727 NXDOMAIN           www.volksbank.de.networld.onlineid89719440.officials2you.info
7737 221.132.85.42      www.53.com.bankingportal.id82170557566.htotd.info
7738 221.132.85.42      www.53.com.bankingportal.id81667074594.usetx.com
7739 221.132.85.42      www.bankofamerica.com.onlinebankingid6837929.totfit.biz
7740 221.132.85.42      www.53.com.bankingportal.id80577046.totca.biz
7752 211.176.202.19     www.53.com.portal.busid47520179.totca.biz
permalink · 2007-01-30 09:13:07 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Jan 31, 2007

Info on rock phish received today (so far)
7755 NXDOMAIN           www.53.com.bankingportal.id751009233.0nscentro.biz
7757 200.87.174.82      www.bankofamerica.com.onlinebankingid593916650.usetx.com
7758 200.87.174.82      www.bankofamerica.com.onlinebankingid0025207.sintx.info
7759 NXDOMAIN           www.bankofamerica.com.onlinebankingid093913805.totfit.biz
7760 NXDOMAIN           www.53.com.bankingportal.id938505381.totca.biz
7761 200.87.174.82      www.53.com.portal.busid0785985.glopd.co.nz
7762 200.87.174.82      www.53.com.portal.busid71117659.ezgor.biz
7765 200.87.174.82      www.53.com.portal.busid056714.sintx.info
7766 200.87.174.82      www.53.com.portal.busid040730491.tbitx.us
7768 211.137.13.130     www.53.com.portal.busid33769266.ematx.biz
7770 85.104.120.89      www.53.com.bankingportal.id79309845.raahu.net
7772 85.104.120.89      www.53.com.bankingportal.id6805779.nsiam.biz
7773 85.104.120.89      www.53.com.bankingportal.id48967896018.glopd.co.nz
7774 85.104.120.89      www.53.com.bankingportal.id364478502.hmitx.biz
7778 85.104.120.89      www.53.com.bankingportal.id7195728673168.hunglop.biz
7779 85.104.120.89      www.bankofamerica.com.onlinebankingid81625662.glopd.co.nz
7780 85.104.120.89      www.53.com.bankingportal.id6339131768196.fg5tx.co.nz
7786 85.104.120.89      www.53.com.bankingportal.id2191585.raahu.net
permalink · 2007-01-31 09:50:47 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Re: Rock phish report Jan 31, 2007

Here is some domain registration info for rock phish reported today:

 DOMAIN                 REGISTRAR       Phish#

usetx.com               REGISTER.COM    7757
sintx.info              Register.com    7758, 7765
glopd.co.nz             Register.com    7761, 7773, 7779
ezgor.biz               REGISTER.COM    7762
tbitx.us                REGISTER.COM    7766
ematx.biz               REGISTER.COM    7768
raahu.net               THE NAME IT CORPORATION 7770
nsiam.biz               REGISTER.COM    7772
hmitx.biz               REGISTER.COM    7774
hunglop.biz             REGISTER.COM    7778
fg5tx.co.nz             Register.com    7780

NOTE to domain registrars:

It is typical of rock phish, that a domain is registered for the purpose of phishing (i.e. fraud, identity theft, crime).

It is very likely that the person named as domain owner is either bogus or a victim of identity theft, and it is very likely that registration fees were paid for using stolen credit cards or other stolen fund source.
permalink · 2007-01-31 10:16:20 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Feb 01, 2007

Rock phish seen today
7794 200.87.174.82      www.53.com.portal.busid86130416.glopd.co.nz
7795 211.176.202.19     www.53.com.bankingportal.id58194957841057.ghu34f.biz
7796 211.176.202.19     www.53.com.bankingportal.id1052967.your0ns.info
7797 211.176.202.19     www.53.com.bankingportal.id9773564072813.glopd.co.nz
7798 211.176.202.19     www.53.com.bankingportal.id1064958250.hmitx.biz
7799 NXDOMAIN           www.53.com.bankingportal.id47094816062.nsiam.biz
7800 211.176.202.19     www.53.com.bankingportal.id1626717096267.ematx.biz
7801 NXDOMAIN           www.53.com.bankingportal.id25981302714065.nsiam.biz
7802 211.176.202.19     www.53.com.bankingportal.id243161037.hmitx.biz
7803 211.176.202.19     www.53.com.bankingportal.id9445720034292.fg5tx.co.nz
7813 211.176.202.19     www.53.com.bankingportal.id612910080590.fg5tx.co.nz
7814 211.176.202.19     www.53.com.bankingportal.id53080722344444.raahu.net
7822 85.30.192.102      www.53.com.bankingportal.id6967915.tbitx.us
7823 NXDOMAIN           www.bankofamerica.com.onlinebankingid809288684.ematx.biz
7829 85.30.192.102      www.bankofamerica.com.onlinebankingid772164634.hunglop.biz
7831 85.30.192.102      www.53.com.bankingportal.id62227210.huwin.net
7840 211.137.13.130     www.bankofamerica.com.onlinebankingid46126667.huwin.net
permalink · 2007-02-01 09:15:40 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Feb 02, 2007

Rock phish seen today
7847 85.105.190.151     www.53.com.bankingportal.id94077976641709.juv4lr.sa.com
7848 85.105.190.151     www.53.com.bankingportal.id869323895224.raahu.net
7850 85.105.190.151     www.53.com.bankingportal.id21484256585542.coolrag.us
7853 85.105.190.151     www.53.com.bankingportal.id33949188717143.juv4lr.sa.com
7854 220.76.90.191      online.bbandt.com.onlineservlet_id862917778.coolrag.us
7856 220.76.90.191      www.volksbank.de.networld.onlineid0598711713.juv4lr.sa.com
7857 85.105.190.151     www.53.com.bankingportal.id9184403518.huwin.net
7861 220.76.90.191      www.bankofamerica.com.onlinebankingid6755915717.juv4lr.sa.com
7863 220.76.90.191      online.bbandt.com.onlineservlet_id3899629.bitssite.biz
7870 85.104.120.89      www.53.com.portal.busid102076436.juv4lr.sa.com
7872 201.239.13.58      www.53.com.portal.busid3215853.vxvip.info
7873 201.239.13.58      www.53.com.portal.busid243642455.vxvip.info
permalink · 2007-02-02 11:31:52 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Feb 03, 2007

Today's rock phish info
7882 220.79.177.48      www.53.com.bankingportal.id03394641930669.k4ipa.co.nz
7883 220.79.177.48      www.53.com.bankingportal.id279161413.coolrag.us
7884 220.79.177.48      www.bankofamerica.com.onlinebankingid69003985.huwin.net
7885 220.79.177.48      online.bbandt.com.onlineservlet_id72321078.coolrag.us
7886 220.76.90.191      www.53.com.bankingportal.id1368651206429.draip.biz
7887 220.76.90.191      www.bankofamerica.com.onlinebankingid16092714.huwin.net
7901 220.76.90.191      www.bankofamerica.com.onlinebankingid0496014865.k4ipa.co.nz
permalink · 2007-02-03 11:30:32 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

4 edits

Rock phish report Feb 04, 2007

Rock phish seen thus far today:
7909 211.176.202.19     www.53.com.bankingportal.id36543146.bitssite.biz
7910 211.176.202.19     www.53.com.bankingportal.id377244301.vxvip.info
7911 85.30.192.102      www.53.com.bankingportal.id23220463340279.juv4lr.sa.com
7912 211.176.202.19     www.53.com.bankingportal.id63453301970658.vxvip.info
7913 211.176.202.19     www.53.com.bankingportal.id370295700.k4ipa.co.nz
7914 211.176.202.19     www.53.com.bankingportal.id26212770.draip.biz
7915 211.176.202.19     www.53.com.bankingportal.id16211302.coolrag.us
7916 211.176.202.19     www.53.com.bankingportal.id56036542872463.draip.biz
7922 211.176.202.19     www.53.com.portal.busid492294.trish.co.nz
7931 220.76.90.191      www.53.com.bankingportal.id01934854369.raahu.net
7934 220.76.90.191      online.bbandt.com.onlineservlet_id1649347.mody0.info
7935 220.76.90.191      www.bankofamerica.com.onlinebankingid21265311.mody0.info
7937 220.76.90.191      www.53.com.bankingportal.id5346996270608.bitssite.biz
7941 85.105.190.151     www.53.com.bankingportal.id7961524.mody0.info
7943 221.136.70.13      online.bbandt.com.onlineservlet_id71965261.mody0.info
7944 221.136.70.13      www.bankofamerica.com.onlinebankingid48729749.bitssite.biz
permalink · 2007-02-04 09:45:54 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Feb 05, 2007

We have seen these rock phish today (so far)
7948 201.239.13.58      online.bbandt.com.onlineservlet_id773493577.bitssite.biz
7957 201.239.13.58      www.53.com.bankingportal.id0760863017.k4ipa.co.nz
7958 201.239.13.58      www.53.com.portal.busid094169.mody0.info
7959 85.30.192.102      www.53.com.portal.busid534417.coolrag.us
7960 85.30.192.102      www.bankofamerica.com.onlinebankingid1722205220.huwin.net
7961 NXDOMAIN           www.53.com.bankingportal.id9142201070268.ipgin.us
7962 85.30.192.102      www.53.com.bankingportal.id821693697.huwin.net
7963 221.143.234.16     www.53.com.portal.busid02386.mylk4uw.at
7964 221.143.234.16     www.bankofamerica.com.onlinebankingid8320955344.bitssite.biz
7965 221.143.234.16     www.53.com.bankingportal.id88590413592.coolrag.us
7966 221.143.234.16     www.53.com.portal.busid99322.huwin.net
7968 NXDOMAIN           www.53.com.portal.busid73028.k4ipa.co.nz
7969 221.143.234.16     www.53.com.bankingportal.id4280070634.mody0.info
7970 85.30.192.102      www.53.com.portal.busid52355416.coolrag.us
7971 NXDOMAIN           online.bbandt.com.onlineservlet_id6236374.draip.biz
7975 221.143.234.16     www.53.com.bankingportal.id0191883875.raahu.net
7987 201.239.13.58      www.53.com.portal.busid15744.raggaj.co.nz
7988 201.239.13.58      www.53.com.portal.busid72281779.razamuz.info
7996 201.239.13.58      www.53.com.portal.busid9666259.ragill.net
7998 201.239.13.58      www.53.com.bankingportal.id529079699.erstesrz.biz
7999 201.239.13.58      www.53.com.bankingportal.id9226653637376.0nssite.info
8000 201.239.13.58      www.53.com.bankingportal.id2876217888249.raahu.net
8001 201.239.13.58      www.53.com.bankingportal.id9045519.raggaj.co.nz
8002 NXDOMAIN           www.bankofamerica.com.onlinebankingid4205984.lk4uw.at
8003 201.239.13.58      www.bankofamerica.com.onlinebankingid91502264.raggaj.co.nz
8004 201.239.13.58      www.53.com.bankingportal.id376961494.raggaj.co.nz
8005 201.239.13.58      www.53.com.bankingportal.id4595989.your0ns.info
8006 201.239.13.58      www.53.com.bankingportal.id24328170428.raggaj.co.nz
permalink · 2007-02-05 11:22:25 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Feb 06, 2007

Rock phish seen today:
8017 85.105.190.151     www.53.com.bankingportal.id639623913.allerz.info
8020 85.105.190.151     www.53.com.portal.busid73542.allerz.info
8027 85.105.190.151     www.53.com.bankingportal.id105591399566.0nssite.info
8048 85.105.190.151     www.53.com.bankingportal.id04000409854379.allerz.info
8053 85.105.190.151     www.53.com.bankingportal.id674036915152.allerz.info
8054 85.105.190.151     www.53.com.bankingportal.id9204140.jmicf.info
permalink · 2007-02-06 18:46:28 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Feb 07, 2007

Today's submitted rock phish
8057 204.13.160.28      www.53.com.bankingportal.id0041072179.poeon.info
8060 NXDOMAIN           www.53.com.bankingportal.id800791127.toprz.biz
8061 NXDOMAIN           www.53.com.bankingportal.id2315614552852.toprz.biz
8063 220.95.115.189     www.53.com.bankingportal.id12994323222402.o0site.biz
8064 220.95.115.189     www.53.com.bankingportal.id58160193.jmicf.info
8065 NXDOMAIN           www.53.com.bankingportal.id3725755880.oildo.info
8075 85.105.190.151     www.53.com.bankingportal.id7344641563957.moremi3or.biz
8077 NXDOMAIN           www.53.com.bankingportal.id6836409.allerz.info
8080 NXDOMAIN           www.53.com.bankingportal.id77457305501.absent0.biz
8085 NXDOMAIN           www.53.com.portal.busid24320479.o0site.biz
8089 218.17.5.194       www.53.com.bankingportal.id8041129.brend-send.info
permalink · 2007-02-07 11:16:52 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Feb 08, 2007

Rock phish seen so far today:
8098 NXDOMAIN           www.53.com.bankingportal.id0531765635.sdocg.biz
8108 220.95.115.189     www.53.com.bankingportal.id40532228.golpe3r.biz
8109 220.95.115.189     www.53.com.bankingportal.id8164853.wer3fe.info
8114 220.95.115.189     www.53.com.bankingportal.id1305326088265.brend-send.info
8115 NXDOMAIN           www.53.com.portal.busid141460.
8116 218.22.100.110     www.53.com.portal.busid130654.metham.info
8121 218.22.100.110     www.53.com.portal.busid96653776.brend-send.info
8123 218.22.100.110     www.53.com.bankingportal.id33756551641154.brend-send.info
8126 218.22.100.110     www.53.com.bankingportal.id293248811.golpe3r.biz
8134 218.22.100.110     www.53.com.bankingportal.id2261422822471.brend-send.info
Note that IP addresses can change over time. During transition, different DNS servers can give different answers (due to residual cache content). The IP addresses given above are those found at the time I first checked that hostname. If my primary DNS server gave NXDOMAIN (non-existent domain), I checked with a second server. In case of disagreement, I gave the IP address in preference to NXDOMAIN.
permalink · 2007-02-08 09:11:49 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

2 edits

Rock phish report Feb 09, 2007

Here are the rock phish submitted today (up to time of this post or last edit)
8139 218.22.100.110     www.53.com.bankingportal.id15548051050.golpe3r.biz
8140 218.22.100.110     www.53.com.bankingportal.id24751336.golpe3r.biz
8144 218.22.100.110     www.53.com.bankingportal.id8898419.wer3fe.info
8145 NXDOMAIN           www.53.com.bankingportal.id2987324935565.doigc.info
8150 NXDOMAIN           www.directline4biz.com.bbw96618-cmserver.titut.info
8154 218.22.100.110     www.directline4biz.com.bbw7727-cmserver.hkdop.info
     218.38.140.198
8166 218.22.100.110     www.directline4biz.com.bbw2738-cmserver.di0opir.info
     218.38.140.198
permalink · 2007-02-09 11:13:54 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Feb 10, 2007

Rock phish submitted today
8174 NXDOMAIN           www.directline4biz.com.bbw95936-cmserver.greatj.biz
8175 dns failure        www.directline4biz.com.bbw1508-cmserver.hkdop.info
8177 NXDOMAIN           www.directline4biz.com.bbw2032-cmserver.titut.info
8182 dns failure        www.53.com.bankingportal.id745220797431.d2r4g.biz
8183 218.22.100.110     www.volksbank.de.networld.onlineid017892340.idqed.info
8185 218.22.100.110     www.53.com.bankingportal.id80534340.yourp4you.biz
8189 218.22.100.110     www.53.com.bankingportal.id13634970838.guidep.info
8194 218.22.100.110     www.53.com.bankingportal.id64856588.yourbonline.biz
8206 218.22.100.110     www.53.com.bankingportal.id8628731.yourp4you.biz
Note on IP comments:
 NXDOMAIN - the queried hostname does not exist
 dns failure - there was a temporary error during lookup

--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9
permalink · 2007-02-10 09:51:14 · Print ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

3 edits

Rock phish report Feb 11, 2007

Info on today's rock phish submissions
8219 218.22.100.110     www.53.com.bankingportal.id0340645.vnaid.biz
8220 218.22.100.110     www.53.com.bankingportal.id4915590211219.idqed.info
8221 218.22.100.110     www.53.com.bankingportal.id85052618922.idtom.biz
8222 218.22.100.110     www.53.com.bankingportal.id50152926.siddj.info
8223 218.22.100.110     www.53.com.portal.busid05082.vnaid.biz
8224 218.22.100.110     www.53.com.portal.busid69508.siddj.info
8232 218.38.140.198     www.53.com.portal.busid3247586.iddos.biz
8233 218.38.140.198     www.53.com.portal.busid70250.yourbonline.biz
8242 220.118.75.74      www.53.com.bankingportal.id39127641082.yourbonline.biz
8246 220.93.85.43       www.53.com.bankingportal.id12559352.ref-kikt.com
8247 220.93.85.43       www.53.com.bankingportal.id43320592.ref-kikt.com
8249 218.211.20.86      www.53.com.portal.busid4283621.guidep.info
The registrars hall of shame.

These are the registrars where the phish domains were registered.
Phish domain    Registrar

guidep.info     REGISTER.COM
iddos.biz       REGISTER.COM
idtom.biz       REGISTER.COM
idqed.info      REGISTER.COM
ref-kikt.com    NAME IT CORPORATION
siddj.info      REGISTER.COM
vnaid.biz       REGISTER.COM
yourbonline.biz REGISTER.COM

--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9
permalink · 2007-02-11 08:54:07 · Print ·
(topic locked)
Forums » Up and Running » Security » Spam, Scam and PhishbustersCertegy data theft »
« [Scam] Is this site a scam?  
page: 1 · 2 · 3 · 4 ...8 · 9 · 10

Thursday, 03-Dec 02:50:14 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [162] Comcast Releasing Promised Usage Meter
· [96] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [79] Latest Consumer Reports Survey Not Kind To AT&T
· [70] Baltimore To Ban Lazy Cable Installs
· [64] Avast Antivirus Has Gone Mad
· [62] Broadband Killed The Game Console
· [55] Rogers Unveils The ISP Dream Model
· [46] ACTA: Global Three Strikes
· [41] Rural Carriers Quickly Embracing Fiber
· [40] AT&T, Verizon Drop 3G Ad Dispute
Most people now reading
· False positive in Avast! or is it real? [Security]
· Windows 7 boot manager editing questions [Microsoft Help]
· Quality/longevity of 15A 120V receptacles [Home Repair & Improvement]
· Linksys Gateway Mode vs Router Mode [Linksys]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· [Newsgroups] Newzleech down? [Filesharing Software]
· persistent connection to qw-in-f113.1e100.net on boot [Security]
· what is error 9 [MagicJack]
· [WIN7] Outlook express under Windows 7? [Microsoft Help]