nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 06, 2007
Rock phish seen today:
8017 85.105.190.151 www.53.com.bankingportal.id639623913.allerz.info
8020 85.105.190.151 www.53.com.portal.busid73542.allerz.info
8027 85.105.190.151 www.53.com.bankingportal.id105591399566.0nssite.info
8048 85.105.190.151 www.53.com.bankingportal.id04000409854379.allerz.info
8053 85.105.190.151 www.53.com.bankingportal.id674036915152.allerz.info
8054 85.105.190.151 www.53.com.bankingportal.id9204140.jmicf.info |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 07, 2007
Today's submitted rock phish
8057 204.13.160.28 www.53.com.bankingportal.id0041072179.poeon.info
8060 NXDOMAIN www.53.com.bankingportal.id800791127.toprz.biz
8061 NXDOMAIN www.53.com.bankingportal.id2315614552852.toprz.biz
8063 220.95.115.189 www.53.com.bankingportal.id12994323222402.o0site.biz
8064 220.95.115.189 www.53.com.bankingportal.id58160193.jmicf.info
8065 NXDOMAIN www.53.com.bankingportal.id3725755880.oildo.info
8075 85.105.190.151 www.53.com.bankingportal.id7344641563957.moremi3or.biz
8077 NXDOMAIN www.53.com.bankingportal.id6836409.allerz.info
8080 NXDOMAIN www.53.com.bankingportal.id77457305501.absent0.biz
8085 NXDOMAIN www.53.com.portal.busid24320479.o0site.biz
8089 218.17.5.194 www.53.com.bankingportal.id8041129.brend-send.info |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 08, 2007
Rock phish seen so far today:
8098 NXDOMAIN www.53.com.bankingportal.id0531765635.sdocg.biz
8108 220.95.115.189 www.53.com.bankingportal.id40532228.golpe3r.biz
8109 220.95.115.189 www.53.com.bankingportal.id8164853.wer3fe.info
8114 220.95.115.189 www.53.com.bankingportal.id1305326088265.brend-send.info
8115 NXDOMAIN www.53.com.portal.busid141460.
8116 218.22.100.110 www.53.com.portal.busid130654.metham.info
8121 218.22.100.110 www.53.com.portal.busid96653776.brend-send.info
8123 218.22.100.110 www.53.com.bankingportal.id33756551641154.brend-send.info
8126 218.22.100.110 www.53.com.bankingportal.id293248811.golpe3r.biz
8134 218.22.100.110 www.53.com.bankingportal.id2261422822471.brend-send.info |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 09, 2007
Here are the rock phish submitted today (up to time of this post or last edit)
8139 218.22.100.110 www.53.com.bankingportal.id15548051050.golpe3r.biz
8140 218.22.100.110 www.53.com.bankingportal.id24751336.golpe3r.biz
8144 218.22.100.110 www.53.com.bankingportal.id8898419.wer3fe.info
8145 NXDOMAIN www.53.com.bankingportal.id2987324935565.doigc.info
8150 NXDOMAIN www.directline4biz.com.bbw96618-cmserver.titut.info
8154 218.22.100.110 www.directline4biz.com.bbw7727-cmserver.hkdop.info
218.38.140.198
8166 218.22.100.110 www.directline4biz.com.bbw2738-cmserver.di0opir.info
218.38.140.198 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 10, 2007
Rock phish submitted today
8174 NXDOMAIN www.directline4biz.com.bbw95936-cmserver.greatj.biz
8175 dns failure www.directline4biz.com.bbw1508-cmserver.hkdop.info
8177 NXDOMAIN www.directline4biz.com.bbw2032-cmserver.titut.info
8182 dns failure www.53.com.bankingportal.id745220797431.d2r4g.biz
8183 218.22.100.110 www.volksbank.de.networld.onlineid017892340.idqed.info
8185 218.22.100.110 www.53.com.bankingportal.id80534340.yourp4you.biz
8189 218.22.100.110 www.53.com.bankingportal.id13634970838.guidep.info
8194 218.22.100.110 www.53.com.bankingportal.id64856588.yourbonline.biz
8206 218.22.100.110 www.53.com.bankingportal.id8628731.yourp4you.biz
NXDOMAIN - the queried hostname does not exist
dns failure - there was a temporary error during lookup
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 11, 2007
Info on today's rock phish submissions
8219 218.22.100.110 www.53.com.bankingportal.id0340645.vnaid.biz
8220 218.22.100.110 www.53.com.bankingportal.id4915590211219.idqed.info
8221 218.22.100.110 www.53.com.bankingportal.id85052618922.idtom.biz
8222 218.22.100.110 www.53.com.bankingportal.id50152926.siddj.info
8223 218.22.100.110 www.53.com.portal.busid05082.vnaid.biz
8224 218.22.100.110 www.53.com.portal.busid69508.siddj.info
8232 218.38.140.198 www.53.com.portal.busid3247586.iddos.biz
8233 218.38.140.198 www.53.com.portal.busid70250.yourbonline.biz
8242 220.118.75.74 www.53.com.bankingportal.id39127641082.yourbonline.biz
8246 220.93.85.43 www.53.com.bankingportal.id12559352.ref-kikt.com
8247 220.93.85.43 www.53.com.bankingportal.id43320592.ref-kikt.com
8249 218.211.20.86 www.53.com.portal.busid4283621.guidep.info
These are the registrars where the phish domains were registered.
Phish domain Registrar
guidep.info REGISTER.COM
iddos.biz REGISTER.COM
idtom.biz REGISTER.COM
idqed.info REGISTER.COM
ref-kikt.com NAME IT CORPORATION
siddj.info REGISTER.COM
vnaid.biz REGISTER.COM
yourbonline.biz REGISTER.COM
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to nwrickert
Re: Rock phish information
said by nwrickert  :............... The registrars hall of shame.These are the registrars where the phish domains were registered. Phish domain Registrar
iddos.biz REGISTER.COM
idtom.biz REGISTER.COM
idqed.info REGISTER.COM
siddj.info REGISTER.COM
vnaid.biz REGISTER.COM
yourbonline.biz REGISTER.COM I couldn't agree more...
Register.com Hall of Shame indeed !!
The domain registration policies are in desperate need of revision. There appears to be no willingness by the registrars to implement simple procedures that could drastically reduce phishing domains. The current procedure has absolutely no pre vetting process, all of it takes place after the domain is up and running.
This loophole is a crucial component in enabling phishers and especially the rockphisher to operate.
The vast majority of Phish domains are registered using the credit cards and identities of previously phished victims, the most of which are in the US.
Registrars should take a cue from many mid level hosting providers. Two years ago when phishers targeted these hosts in droves using stolen cards to set up phish hosting, many many of these providers instituted a simple procedure that ran them off.
Faced with high losses from chargebacks for fraudulent card usage, these hosting providers set up toll free numbers and required any online hosting order to be followed up with a confirmation call within 2 or 3 hours of the order. That call had to originate from within the area of the billing address on the credit card that was used. The toll free number (ANI) prevents number spoofing, and the hosting order can not go live until this process is completed. If the call is not made the order is dropped.
In the case of the domains that you just listed, six of them are all registered to the same carded victim:
guidep.info
iddos.biz
idtom.biz
idqed.info
siddj.info
vnaid.biz
Domain Name: IDDOS.BIZ
Domain ID: D16357214-BIZ
Sponsoring Registrar: REGISTER.COM
Sponsoring Registrar IANA ID: 9
Domain Status: clientTransferProhibited
Registrant ID: 92061144FA4B1718
Registrant Name: Niamkey Koffi
Registrant Organization: Niamkey
Registrant Address1: 4695 Lowell Dr. Apt 806
Registrant City: NorthCharleston
Registrant State/Province: SC
Registrant Postal Code: SC
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.8438646015
Registrant Email: Niamks31eyKoffi@yahoo.com
Name Server: W1.SID-DJ.COM 65.196.200.99
Name Server: W2.SID-DJ.COM 200.55.222.77
Name Server: W3.SID-DJ.COM 85.21.162.153
Created by Registrar: REGISTER.COM
Last Updated by Registrar: REGISTER.COM
Domain Registration Date: Thu Feb 08 18:35:19 GMT 2007
Domain Expiration Date: Thu Feb 07 23:59:59 GMT 2008
Domain Last Updated Date: Thu Feb 08 19:18:34 GMT 2007
The name server domain that is used for these: SID-DJ.COM is also registered to them.
SID-DJ.COM
Registration Service Provided By: GotNameDomains.com
Administrative Contact:
Niamkey
Niamkey Koffi (Niamks31eyKoffi@yahoo.com)
+1.8438646015
Fax: -
4695 Lowell Dr. Apt 806
NorthCharleston, SC SC
US
Name Servers:
w1.sid-dj.com
w2.sid-dj.com
w3.sid-dj.com
Creation date: 08 Feb 2007 18:35:32
Expiration date: 08 Feb 2008 18:35:32
Contact: gmgr@gotnamedomains.com
The ref-kit.com domain is another carded victim:
Domain Name:ref-kikt.com
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET
Registrant Contact
Name: terry Ribera
Address: 4686 cherokee ave.
sandiego, CA 92116
US
Email Address: bialous88@yahoo.com
Phone Number: (619)307-9433
Record Created on........ 2007-02-08 13:58:28.639
Expire on................ 2008-02-08 14:08:05.000 Domain servers in listed order:
w2.sid-dj.com
w3.sid-dj.com
As is the yourbonline.biz domain:
Domain Name: YOURBONLINE.BIZ
Domain ID: D16369857-BIZ
Sponsoring Registrar: REGISTER.COM
Sponsoring Registrar IANA ID: 9
Domain Status: clientTransferProhibited
Registrant ID: F8F032071BF18F12
Registrant Name: Connie Quinn
Registrant Organization: -
Registrant Address1: 656 Levens Addition
Registrant City: Ferriday
Registrant State/Province: LA
Registrant Postal Code: 71334
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.3187571660
Registrant Email: conniequinn@catlover.com
Name Server: NS1.YOURBONLINE.BIZ 220.135.238.25
Name Server: NS2.YOURBONLINE.BIZ 65.196.200.99
Created by Registrar: REGISTER.COM
Last Updated by Registrar: REGISTER.COM
Domain Registration Date: Fri Feb 09 16:49:22 GMT 2007
The Rockphisher has rinsed and repeated this process over a thousand times. By the time these get pulled, another batch will have already been registered to take their place.
This is preventable. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 12, 2007
Here are today's rock phish submissions:
8263 218.38.140.198 www.53.com.bankingportal.id05495375916620.joeaz.biz
8265 201.228.25.32 www.53.com.bankingportal.id426388532476.idqed.info
8277 220.118.75.74 www.53.com.bankingportal.id5538965108.d2you.biz
8278 220.118.75.74 www.53.com.bankingportal.id63942547.topdnation.info
8279 NXDOMAIN www.53.com.bankingportal.id8968141810298.joeaz.biz
8280 204.13.160.28 www.53.com.bankingportal.id018804758964.idqed.info
8281 204.13.160.28 www.53.com.bankingportal.id48422213293898.idqed.info
8282 NXDOMAIN www.53.com.bankingportal.id7708269.yourp4you.biz
8283 204.13.160.28 www.53.com.bankingportal.id5465029.vnaid.biz
8285 220.118.75.74 www.53.com.bankingportal.id6661534.ref-kikt.com
Registrars where these phish domains were registered.
Phish domain Registrar
d2you.biz REGISTER.COM
idqed.info REGISTER.COM
joeaz.biz REGISTER.COM
ref-kikt.com NAME IT CORPORATION
topdnation.info REGISTER.COM
vnaid.biz REGISTER.COM
yourp4you.biz unknown
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | reply to nwrickert
Rock phish report Feb 13, 2007
Rock phish submitted today:
8304 72.184.190.25 www.53.com.bankingportal.id9104276.njkerww.info
8305 72.184.190.25 www.53.com.bankingportal.id10299994042.newwuop.biz
8307 72.184.190.25 www.53.com.bankingportal.id38536386.wusop.biz
8316 61.100.119.49 www.53.com.bankingportal.id76291847.joasje4.biz
Registrars hall of shame
Registrars where these phish domains were registered:
Phish domain Registrar
joasje4.biz ADVANCED INTERNET TECHNOLOGIES
newwuop.biz WILD WEST DOMAINS, INC.
njkerww.info NAME IT CORPORATION
wusop.biz WILD WEST DOMAINS, INC.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
4 edits | reply to nwrickert
Rock phish report Feb 14, 2007
Info on today's submitted rockphish
8321 dns failure www.53.com.bankingportal.id82163106896.njkerww.info
8324 dns failure www.53.com.bankingportal.id00316987239354.kjolwwxd.info
8325 dns failure www.53.com.bankingportal.id2663567.njkerww.info
8326 dns failure www.53.com.bankingportal.id4127323445.njkerww.info
8327 dns failure www.53.com.bankingportal.id33667690358623.kjolwwxd.info
8328 dns failure www.53.com.bankingportal.id501446931.mixdefop.info
8329 dns failure www.volksbank.de.networld.onlineid42571.kjolwwxd.info
8330 dns failure www.53.com.bankingportal.id90390382.kjolwwxd.info
8336 NXDOMAIN www.53.com.portal.busid98229.
8337 dns failure www.53.com.bankingportal.id0208955111735.kloe3.info
8338 NXDOMAIN www.53.com.bankingportal.id2562558192.hmojd.info
8341 NXDOMAIN www.53.com.bankingportal.id28396042868185.wuops.biz
8343 NXDOMAIN www.53.com.portal.busid813611.
8346 76.17.78.248 www.53.com.portal.busid7389626.dotxm.biz
8349 NXDOMAIN www.53.com.portal.busid1888908.dotxm.biz
8350 24.74.247.108 www.53.com.bankingportal.id7367978.theldmx.co.nz
8353 76.17.78.248 www.53.com.bankingportal.id33493477.rlope.info
8254 71.80.132.22 www.53.com.bankingportal.id60785736.olope6g.no.com
Registrars hall of shame
Where these phish domains were registered:
Phish domain Registrar
dotxm.biz ADVANCED INTERNET TECHNOLOGIES
hmojd.info unknown
kjolwwxd.info NAME IT CORPORATION
kloe3.info NAME IT CORPORATION
mixdefop.info NAME IT CORPORATION
njkerww.info NAME IT CORPORATION
olope6g.no.com delegated by CENTRALNIC.CO.UK
rlope.info REGISTER.COM
theldmx.co.nz Domainz Limited
wuops.biz unknown
DNS server domains
anti-bob.net REGISTER.COM
difo-ns.com THE NAME IT CORPORATION
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | said by nwrickert :........ Most of these rockphish domains are depending on hosts in the domain HORIZAMA-JD.NET for dns servers. However, the domain HORIZAMA-JD.NET does not seem to exist at this time. Kudos to whichever registrar blocked this registration...... For a moment I was pleasantly surprised that register.com may have taken preemptive action. However, from pieces of the puzzle it may not appear so, rather a possible rejection of the charge card by the processor 24 hours later.
HORIZAMA-JD.NET
Registrar: REGISTER.COM, INC.
Status: clientTransferProhibited
Dates: Created 12-feb-2007 Updated 12-feb-2007 Expires 12-feb-2008
DNS Servers: V1.HORIZAMA-JD.NET V2.HORIZAMA-JD.NET V3.HORIZAMA-JD.NET
referred to whois.register.com
No match for horizama-jd.net
For an after the fact revoked Domain, one would expect to see a registration then a null route for the DNS with a negative TTL.
In this case the DNS WAS ACTIVE, a cache check of non authoritative name servers from around the globe shows that VI, V2, and V3.HORIZAMA-JD.NET exist in several of them.
The DNS cached IP's were:
V1.HORIZAMA-JD.NET A=85.185.165.3 Iran
V2.HORIZAMA-JD.NET A=220.69.104.223 Korea
V3.HORIZAMA-JD.NET A=220.132.187.239 Taiwan
All 3 are similar to v1:
quote:
ISP DNS Lookup of V1.HORIZAMA-JD.NET A record
Generated by www.DNSstuff.com
Germany: wilhelm.tel #1 A=85.185.165.3 [TTL=1d 13h 30m 2s]
Germany: wilhelm.tel #2 A=85.185.165.3 [TTL=1d 13h 30m 2s]
Ireland: Energis [No cached answer: Would go to NS of net.]
Ireland: Energis [No cached answer: Would go to NS of ]
Israel: Actcom #1 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: Actcom #2 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: Barak 013 #1 TIMEOUT
Israel: Barak 013 #2 A=85.185.165.3 [TTL=19h 32m 44s]
Israel: Barak 013 #3 A=85.185.165.3 [TTL=1d 2h 27m 11s]
Israel: Bezeq International [No cached answer: Would go to NS of net.]
Israel: Bezeq International A=85.185.165.3 [TTL=21h 26m 36s]
Israel: Bezeq International A=85.185.165.3 [TTL=20h 29m 34s]
Israel: Bezeq International TIMEOUT
Israel: Golden Lines 012 #1 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: Golden Lines 012 #2 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: Netvision #1 A=85.185.165.3 [TTL=19h 21m 8s]
Israel: Netvision #2 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: QOS #1 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: QOS #2 [No cached answer: Would go to NS of horizama-jd.net.]
Israel: Smile 015 #1 TIMEOUT
Israel: Smile 015 #2 TIMEOUT
Israel: Smile 015 #3 [No cached answer: Would go to NS of net.]
Italy: Advanced Systems #1 TIMEOUT
Italy: Aruba S.p.A. #1 [No cached answer: Would go to NS of horizama-jd.net.]
Italy: Aruba S.p.A. #2 A=85.185.165.3 [TTL=22h 38m 59s]
Italy: Edisontel S.p.A./Eute [No cached answer: Would go to NS of horizama-jd.net.]
Italy: Edisontel S.p.A./Eute [No cached answer: Would go to NS of horizama-jd.net.]
Italy: FastWeb S.p.A. #1 [No cached answer: Would go to NS of horizama-jd.net.]
Italy: FastWeb S.p.A. #2 [No cached answer: Would go to NS of horizama-jd.net.]
Italy: I.Net S.p.A. #1 TIMEOUT
Italy: I.Net S.p.A. #2 [No cached answer: Would go to NS of horizama-jd.net.]
Italy: Interbusiness/Telecom [No cached answer: Would go to NS of ]
Italy: Interbusiness/Telecom A=85.185.165.3 [TTL=1d 0h 37m 46s]
Italy: Interbusiness/Telecom A=85.185.165.3 [TTL=17h 34m 19s]
Italy: ITnet S.p.A. #1 [No cached answer: Would go to NS of (root)]
Italy: ITnet S.p.A. #2 A=85.185.165.3 [TTL=1d 7h 16m 39s]
Italy: Wind Telecomunicazion A=85.185.165.3 [TTL=19h 55m 7s]
Italy: Wind Telecomunicazion [No cached answer: Would go to NS of horizama-jd.net.]
New Zealand: Xtra (Telecom) A=85.185.165.3 [TTL=17h 56m 31s]
New Zealand: Xtra (Telecom) [No cached answer: Would go to NS of horizama-jd.net.]
UK: AOL (UK) [No cached answer: Would go to NS of (root)]
UK: AOL (UK) [No cached answer: Would go to NS of (root)]
UK: AOL (UK) TIMEOUT
UK: AOL (UK) [No cached answer: Would go to NS of (root)]
UK: blueyonder [No cached answer: Would go to NS of horizama-jd.net.]
UK: blueyonder [No cached answer: Would go to NS of horizama-jd.net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of (root)]
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of (root)]
UK: BT Broadband & BT Yahoo [No cached answer: Would go to NS of net.]
UK: BT Broadband & BT Yahoo TIMEOUT
UK: BT Broadband & BT Yahoo TIMEOUT
UK: Claranet Ltd [No cached answer: Would go to NS of ]
UK: Claranet Ltd [No cached answer: Would go to NS of ]
UK: Demon Internet [No cached answer: Would go to NS of ]
UK: Demon Internet [No cached answer: Would go to NS of ]
UK: Easynet Ltd. [No cached answer: Would go to NS of net.]
UK: Easynet Ltd. [No cached answer: Would go to NS of net.]
UK: Easynet Ltd. dialup TIMEOUT
UK: Easynet Ltd. dialup TIMEOUT
UK: freenetname TIMEOUT
UK: freenetname TIMEOUT
UK: freeserve(?) [No cached answer: Would go to NS of horizama-jd.net.]
UK: freeserve(?) [No cached answer: Would go to NS of horizama-jd.net.]
UK: Global Internet TIMEOUT
UK: Global Internet TIMEOUT
UK: Griffin Internet [No cached answer: Would go to NS of (root)]
UK: Griffin Internet [No cached answer: Would go to NS of (root)]
UK: Loud-n-Clear [No cached answer: Would go to NS of net.]
UK: Loud-n-Clear [No cached answer: Would go to NS of ]
UK: Loud-n-Clear [No cached answer: Would go to NS of net.]
UK: Mistral Internet [No cached answer: Would go to NS of net.]
UK: Mistral Internet [No cached answer: Would go to NS of net.]
UK: NewNet TIMEOUT
UK: NewNet [No cached answer: Would go to NS of horizama-jd.net.]
UK: Nildram Ltd. [No cached answer: Would go to NS of horizama-jd.net.]
UK: Nildram Ltd. [No cached answer: Would go to NS of ]
UK: Nildram Ltd. [No cached answer: Would go to NS of ]
UK: Nildram Ltd. TIMEOUT
UK: NTL World & Virgin.net [No cached answer: Would go to NS of ]
UK: NTL World & Virgin.net [No cached answer: Would go to NS of ]
UK: One.Tel [No cached answer: Would go to NS of horizama-jd.net.]
UK: One.Tel [No cached answer: Would go to NS of horizama-jd.net.]
UK: PIPEX TIMEOUT
UK: PIPEX TIMEOUT
UK: PlusNet plc [No cached answer: Would go to NS of ]
UK: PlusNet plc [No cached answer: Would go to NS of ]
UK: PlusNet plc [No cached answer: Would go to NS of ]
UK: PlusNet plc [No cached answer: Would go to NS of ]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 16h 41m 3s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 14h 25m 22s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 15h 31m 7s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 18h 38m 20s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 14h 25m 53s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 15h 3m 18s]
UK: Prodigy Networks [No cached answer: Would go to NS of net.]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 15h 23m 13s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 14h 33m 35s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 16h 5m 3s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 18h 18m 38s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 18h 18m 50s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 15h 58m 52s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 16h 8m 26s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 16h 30m 22s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 14h 52m 16s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 17h 14m 34s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 17h 25m 3s]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 16h 52m 26s]
UK: Prodigy Networks [No cached answer: Would go to NS of net.]
UK: Prodigy Networks A=85.185.165.3 [TTL=1d 17h 20m 16s]
UK: Supanet TIMEOUT
UK: Supanet TIMEOUT
UK: Tiscali (UK) A=85.185.165.3 [TTL=17h 39m 5s]
UK: Tiscali (UK) A=85.185.165.3 [TTL=1d 2h 29m 23s]
UK: Wanadoo UK(?) [No cached answer: Would go to NS of horizama-jd.net.]
UK: Wanadoo UK(?) [No cached answer: Would go to NS of horizama-jd.net.]
UK: Zen Internet [No cached answer: Would go to NS of (root)]
UK: Zen Internet TIMEOUT
US: Advanced Systems #1 TIMEOUT
US: Advanced Systems #2 TIMEOUT
US: ATT Worldnet #2 [No cached answer: Would go to NS of net.]
US: ATT Worldnet #1 [No cached answer: Would go to NS of net.]
US: Choicenet #1 [No cached answer: Would go to NS of net.]
US: Choicenet #2 [No cached answer: Would go to NS of net.]
US: Choicenet #3 [No cached answer: Would go to NS of net.]
US: Choicenet #4 [No cached answer: Would go to NS of net.]
US: Choicenet #5 [No cached answer: Would go to NS of horizama-jd.net.]
US: Choicenet #6 [No cached answer: Would go to NS of horizama-jd.net.]
US: Choicenet #7 A=85.185.165.3 [TTL=22h 2m 21s]
US: Choicenet #8 A=85.185.165.3 [TTL=22h 2m 18s]
US: Compuserve #1 [No cached answer: Would go to NS of (root)]
US: Compuserve #2 [No cached answer: Would go to NS of (root)]
US: Drizzle #1 [No cached answer: Would go to NS of net.]
US: Drizzle #2 [No cached answer: Would go to NS of ]
US: Earthlink #1 A=85.185.165.3 [TTL=1d 0h 56m 47s]
US: Earthlink #2 A=85.185.165.3 [TTL=22h 30m 4s]
US: Earthlink NetAxs #1 A=85.185.165.3 [TTL=22h 26m 13s]
US: Earthlink NetAxs #2 [No cached answer: Would go to NS of horizama-jd.net.]
US: FrontierNet, California, A=85.185.165.3 [TTL=23h 31m 20s]
US: FrontierNet, California, A=85.185.165.3 [TTL=18h 3m 21s]
US: FrontierNet, Illinois #1 A=85.185.165.3 [TTL=17h 39m 59s]
US: FrontierNet, Illinois #2 A=85.185.165.3 [TTL=19h 55m 0s]
US: FrontierNet, New York #1 A=85.185.165.3 [TTL=18h 8m 47s]
US: FrontierNet, New York #2 [No cached answer: Would go to NS of horizama-jd.net.]
US: FrontierNet, Road Runner [No cached answer: Would go to NS of net.]
US: FrontierNet, Road Runner [No cached answer: Would go to NS of net.]
US: FrontierNet, West Virgin [No cached answer: Would go to NS of horizama-jd.net.]
US: FrontierNet, West Virgin A=85.185.165.3 [TTL=23h 1m 35s]
US: GTE #1 A=85.185.165.3 [TTL=1d 5h 24m 18s]
US: GTE #2 A=85.185.165.3 [TTL=1d 12h 59m 0s]
US: IBMnet #1 [No cached answer: Would go to NS of net.]
US: IBMnet #2 [No cached answer: Would go to NS of net.]
US: Internet America #1 [No cached answer: Would go to NS of net.]
US: Internet America #2 [No cached answer: Would go to NS of net.]
US: Internet MCI #1 [No cached answer: Would go to NS of (root)]
US: MCI Internet #2 TIMEOUT
US: MCI Internet #2 [No cached answer: Would go to NS of horizama-jd.net.]
US: MCI Worldcom #1 A=85.185.165.3 [TTL=23h 46m 11s]
US: MCI Worldcom #2 A=85.185.165.3 [TTL=18h 30m 54s]
US: Mindspring #1 A=85.185.165.3 [TTL=19h 36m 48s]
US: Mindspring #2 A=85.185.165.3 [TTL=19h 36m 48s]
US: OneWest Idaho #1 A=85.185.165.3 [TTL=21h 58m 38s]
US: OneWest Idaho #2 A=85.185.165.3 [TTL=21h 58m 38s]
US: OneWest Montana #1 [No cached answer: Would go to NS of net.]
US: OneWest Montana #2 [No cached answer: Would go to NS of net.]
US: OneWest Wyoming #1 [No cached answer: Would go to NS of net.]
US: OneWest Wyoming #2 [No cached answer: Would go to NS of net.]
US: Prodigy Internet #1 A=85.185.165.3 [TTL=1d 14h 25m 51s]
US: Prodigy Internet #2 A=85.185.165.3 [TTL=1d 15h 3m 25s]
US: Qwest #1 [No cached answer: Would go to NS of net.]
US: Qwest #2 [No cached answer: Would go to NS of net.]
US: Roadrunner #1 [No cached answer: Would go to NS of horizama-jd.net.]
US: Roadrunner #2 [No cached answer: Would go to NS of net.]
US: Southwestern Bell #1 A=85.185.165.3 [TTL=1d 15h 53m 46s]
US: Southwestern Bell #2 A=85.185.165.3 [TTL=1d 16h 4m 9s]
US: SprintNet #1 [No cached answer: Would go to NS of net.]
US: Sprynet #1 [No cached answer: Would go to NS of (root)]
US: Sprynet #2 [No cached answer: Would go to NS of (root)]
US: Sprynet #1 A=85.185.165.3 [TTL=1d 17h 9m 20s]
US: Sprynet #2 A=85.185.165.3 [TTL=18h 48m 44s]
US: Sympatico #1 [No cached answer: Would go to NS of horizama-jd.net.]
US: Touch America #1 A=85.185.165.3 [TTL=19h 12m 42s]
US: Touch America #2 [No cached answer: Would go to NS of net.]
US: UUNet #1 [No cached answer: Would go to NS of net.]
US: UUNet #2 A=85.185.165.3 [TTL=1d 6h 33m 38s]
The longest TTL is 1d 18h 38m 20s, and the average TTL (of those with cached answers) is 1d 5h 49m 42s.
It would be nice if this turns out to be a deliberate and timely revoking of a phishing domain.
MGD
EDIT= deleted text |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Thanks for digging up that info.
My suspicion is that these phishers don't actually send email till the domains are registered. In most cases, where we cannot find a registration, that probably means the registration was later yanked.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 15, 2007
Today's rock phish info:
8357 66.67.179.156 www.53.com.bankingportal.id786016166409.d2r4g.biz
8358 218.201.138.58 www.53.com.portal.busid022084.pol4hw.biz
8365 218.201.138.58 www.53.com.bankingportal.id62066224006.theldmx.co.nz
Phish domain Registrar
d2r4g.biz ADVANCED INTERNET TECHNOLOGIES
pol4hw.biz ADVANCED INTERNET TECHNOLOGIES
theldmx.co.nz Domainz Limited
DNS server domain Registrar
anti-bob.net REGISTER.COM
difo-ns.com THE NAME IT CORPORATION
TE0D0RA.BIZ ADVANCED INTERNET TECHNOLOGIES (parked?)
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 16, 2007
Submitted rock phish info for today
8378 83.165.112.118 www.53.com.bankingportal.id170845441.rid0.info
8380 83.165.112.118 www.53.com.bankingportal.id4533607044623.linhi4oe.biz
8381 83.165.112.118 www.53.com.bankingportal.id078522049.di0opir.info
8382 NXDOMAIN www.53.com.bankingportal.id3784633.theldmx.co.nz
8383 83.165.112.118 www.53.com.bankingportal.id65785061008.linhi4oe.biz
8385 NXDOMAIN www.53.com.bankingportal.id01258683583229.d2r4g.biz
8392 83.165.112.118 www.53.com.bankingportal.id65544897.rid0.info
8394 83.165.112.118 www.53.com.portal.busid592436375.rytter.us
8405 70.237.28.25 www.53.com.bankingportal.id61686833.tirotie.info
Phish domain Registrar
d2r4g.biz ADVANCED INTERNET TECHNOLOGIES 2/08/2007
di0opir.info THE NAME IT CORPORATION 2/08/2007
linhi4oe.biz ADVANCED INTERNET TECHNOLOGIES 2/15/2007
rid0.info ADVANCED INTERNET TECHNOLOGIES 2/15/2007
rytter.us REGISTER.COM 2/14/2007
theldmx.co.nz Domainz Limited 2/14/2007 (cancelled)
tirotie.info REGISTER.COM 2/14/2007
DNS server domain Registrar
AREKON.INFO REGISTER.COM 2/14/2007
TE0D0RA.BIZ ADVANCED INTERNET TECHNOLOGIES 4/29/2006 (parked?)
WOLKRID-NS.BIZ ADVANCED INTERNET TECHNOLOGIES 2/15/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
| reply to nwrickert
Re: Rock phish information
My good Lord....
1st note to self: never EVER register a domain at register.com. all of those domains and nobody there even has a clue? after just quietly following this thread for a while, its simply mind boggling. The sad part is someone is falling for it over and over again 
Again, you guys are awesome with what you do 
--
babbling | How's the weather? | Need blinker fluid? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Feb 17, 2007
Today's rock phish submissions:
8417 70.237.28.25 www.53.com.bankingportal.id3011916.mixdefop.info
8418 70.237.28.25 www.53.com.bankingportal.id1850240034.billwartell.info
8424 70.237.28.25 www.53.com.bankingportal.id439322483783.hukowet.biz
8428 70.237.28.25 www.53.com.bankingportal.id2677404323.di0opir.info
8429 70.237.28.25 www.53.com.bankingportal.id36788005827.di0opir.info
8430 NXDOMAIN www.53.com.bankingportal.id0134081806.
8434 70.237.28.25 www.53.com.bankingportal.id328301255.hukowet.biz
8436 70.237.28.25 www.53.com.bankingportal.id06378946.lof80.info
8440 70.237.28.25 www.53.com.bankingportal.id66067248.linhi4oe.biz
Registrars hall of shame
Phish domain Registrar
billwartell.info REGISTER.COM 2/06/2007
di0opir.info NAME IT CORPORATION 2/08/2007
hukowet.biz REGISTER.COM 2/14/2007
linhi4oe.biz ADVANCED INTERNET TECHNOLOGIES 2/15/2007
lof80.info NAME IT CORPORATION 2/13/2007
mixdefop.info NAME IT CORPORATION 2/13/2007
DNS server domain Registrar
AREKON.INFO REGISTER.COM 2/14/2007
WOLKRID-NS.BIZ ADVANCED INTERNET TECHNOLOGIES 2/15/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to pcdebb
Re: Rock phish information
1st note to self: never EVER register a domain at register.com. It isn't only REGISTER.COM, though they do seem to be a registrar of choice by the rockphish group.
I was raised in the tradition that expected us to accept moral responsibility for the effect of our actions on society. That old fashioned idea seems to be out the window these days. So maybe we need registrars to be held *legally* responsible for their actions. Perhaps phishing victims should be able to sue the registrars that allowed the phishing domains to be created. And while we are dreaming, perhaps ISPs should be legally liable for allowing zombie networks on their client systems. In both cases one could allow exceptions for registrars and ISPs that are taking reasonable precautions.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 18, 2007
Rock phish information for today:
8443 70.237.28.25 www.53.com.bankingportal.id098461293.hukowet.biz
8444 70.237.28.25 www.53.com.bankingportal.id189693334.di0opir.info
8445 temp failure www.53.com.bankingportal.id817309653068.mlofirtn.info
8446 70.237.28.25 www.53.com.bankingportal.id9608672722789.di0opir.info
8447 temp failure www.53.com.bankingportal.id8376212057.mlofirtn.info
8448 temp failure www.53.com.portal.busid2783043.mlofirtn.info
8456 70.237.28.25 www.53.com.portal.busid884682.njkerww.info
8462 70.237.28.25 com.bankingportal.id47844830.kjolwwxd.info
8464 temp failure www.53.com.bankingportal.id127750367.mlofirtn.info
Registrars hall of shame
Phish domain Registrar
di0opir.info NAME IT CORPORATION 2/08/2007
hukowet.biz REGISTER.COM 2/14/2007
kjolwwxd.info NAME IT CORPORATION 2/13/2007
mlofirtn.info NAME IT CORPORATION 2/15/2007
njkerww.info NAME IT CORPORATION 2/13/2007
DNS server domain Registrar
AREKON.INFO REGISTER.COM 2/14/2007
WOLKRID-NS.BIZ ADVANCED INTERNET TECHNOLOGIES 2/15/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Feb 19, 2007
Information on today's rock phish submissions:
8467 70.237.28.25 www.53.com.bankingportal.id4858083.hukowet.biz
8468 70.237.28.25 www.53.com.portal.busid3160707.di0opir.info
8469 70.237.28.25 www.53.com.bankingportal.id50576067962.di0opir.info
8470 70.237.28.25 www.volksbank.de.networld.onlineid07613.rid0.info
8471 70.237.28.25 www.53.com.bankingportal.id872476452.mlofirtn.info
8472 70.237.28.25 www.53.com.bankingportal.id7295484.linhi4oe.biz
8473 70.237.28.25 www.53.com.bankingportal.id3616195422.rytter.us
8474 70.237.28.25 www.53.com.bankingportal.id80259263.rid0.info
8476 70.237.28.25 www.53.com.bankingportal.id187972320.billwartell.info
8481 temp failure www.53.com.bankingportal.id6190632367.njkerww.info
8483 temp failure www.53.com.bankingportal.id80157383442.mlofirtn.info
8484 temp failure www.53.com.bankingportal.id2137966275584.rid0.info
8487 temp failure www.53.com.bankingportal.id8650826997.rid0.info
8490 219.251.166.157 www.53.com.bankingportal.id9870201857.tirotie.info
8496 59.7.238.35 www.53.com.bankingportal.id484416713962.tirotie.info
8508 211.98.198.174 www.53.com.portal.busid9366287.hukowet.biz
Registrars hall of shame
Phish domain Registrar
billwartell.info REGISTER.COM 2/06/2007
di0opir.info NAME IT CORPORATION 2/08/2007
hukowet.biz REGISTER.COM 2/14/2007
linhi4oe.biz ADVANCED INTERNET TECHNOLOGIES 2/15/2007
mlofirtn.info NAME IT CORPORATION 2/15/2007
njkerww.info NAME IT CORPORATION 2/13/2007
rid0.info ADVANCED INTERNET TECHNOLOGIES 2/15/2007
rytter.us REGISTER.COM 2/14/2007
tirotie.info REGISTER.COM 2/14/2007
DNS server domain Registrar
AREKON.INFO REGISTER.COM 2/14/2007
WOLKRID-NS.BIZ ADVANCED INTERNET TECHNOLOGIES 2/15/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | reply to nwrickert
Rock phish report Feb 20, 2007
Today's submissions
8512 211.98.198.174 www.53.com.bankingportal.id7258318.iparkave.biz
8523 221.136.70.13 www.53.com.bankingportal.id792719662.mifinco.cc
8524 221.136.70.13 www.53.com.bankingportal.id7152333.moremi3or.biz
8528 221.136.70.13 www.53.com.bankingportal.id45778471.mifinco.cc
8529 NXDOMAIN www.53.com.bankingportal.id5106429075500.sinewavenue.biz
8530 NXDOMAIN www.53.com.portal.busid1846146.sinewavenue.biz
8532 temp failure www.53.com.bankingportal.id7231693248.di0opir.info
8539 221.136.70.13 www.53.com.portal.busid985262.mifinco.cc
Registrars hall of shame
Phish domain Registrar
di0opir.info THE NAME IT CORPORATION 2/08/2007
iparkave.biz ADVANCED INTERNET TECHNOLOGIES 2/16/2007 (domain cancelled)
mifinco.cc REGISTER.COM 2/19/2007
moremi3or.biz ADVANCED INTERNET TECHNOLOGIES 2/01/2007
sinewavenue.biz unknown
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
