site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Scam and Phishbusters > Rock phish information - continued

Search Topic:
 Uniqs:
60003		 Share Topic
Posting?
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
page: 1 · 2 · 3 · 4 · 5 · 6 · 7 · 8 ... 21 · 22 · 23
AuthorAll Replies


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

reply to nwrickert

Rock phish report Oct 16, 2007

The report for Tuesday:
19039 dns_temp_fail     securelogin-57033285.moneymanagergps.com.bfg65.com
19040 dns_temp_fail     securelogin-60844338.moneymanagergps.com.bib49.com
19041 dns_temp_fail     securelogin-65581548.moneymanagergps.com.bib49.com
19043 dns_temp_fail     securelogin-14577949.moneymanagergps.com.tkb54.com
19048 dns_temp_fail     securelogin-45277814.moneymanagergps.com.bfg65.com
19050 NXDOMAIN          hiring-id5678057380.monster.com.tomder2.xz.cn
19051 dns_temp_fail     securelogin-06522666.moneymanagergps.com.bib49.com
19052 dns_temp_fail     securelogin-03273562.moneymanagergps.com.fks18.com
19060 79.212.197.135(10) e-access65383780.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.xtr48.biz
19066 24.147.48.162(10) e-access59346371.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.trf54.biz
19067 24.147.48.162(10) e-access07345258.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.xtr48.biz
19070 24.147.48.162(10) e-access32667923.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.ams76.us
19080 24.7.36.14(10)    e-access07448147.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.bts48.info
19081 NXDOMAIN          hiring-id976865311.monster.com.a382415.xz.cn
19082 211.60.129.140    hiring-id48878524.monster.com.deeper3.gx.cn

Domain registration info

   Phish domain         Registrar

a382415.xz.cn   www.cnnic.net.cn        10/11/2007
ams76.us        REGISTER.COM            10/15/2007
bfg65.com       REGISTER.COM            10/14/2007
bib49.com       REGISTER.COM            10/14/2007
bts48.info      REGISTER.COM            10/15/2007
deeper3.gx.cn   www.cnnic.net.cn        10/12/2007
fks18.com       REGISTER.COM            10/14/2007
tkb54.com       REGISTER.COM            10/14/2007
tomder2.xz.cn   unknown                 10/14/2007? (cancelled?)
trf54.biz       REGISTER.COM            10/15/2007
xtr48.biz       REGISTER.COM            10/15/2007


DNS server domain         Registrar

abc-tgc.com     REGISTER.COM            9/11/2007
bar-bar-com.com BIZCN.COM               9/18/2007 (cancelled)
dinovod.com     TODAYNIC.COM            10/16/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-17 00:12:33 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 17, 2007

The Merril Lynch phish below each have 3 distinct phish URLs. Hence each is listed 3 times.

Here is the Wednesday report:
19083 24.7.36.14(10)    e-access54033417.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.rtm64.info
19103 121.247.93.148    e-access49673960.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.fgt79.biz
19104 64.131.251.173    e-access04312350.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.ams76.us
19105 82.53.90.126      e-access49088767.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.uip32.info
19106 64.131.251.173    e-access79477928.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.mnr37.us
19110 211.60.129.140    hiring-id7146560180.monster.com.portland5.xz.cn
19116 67.166.209.253(10) wcma.businesscenter.bcprivate.asp68662234.wcmaloginea.aspx.tms72.info
19116 67.166.209.253(10) wcma.businesscenter.bcprivate.asp62124676.wcmaloginea.aspx.ind76.info
19116 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp02851988.wcmaloginea.aspx.fds32.net
19117 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp50876787.wcmaloginea.aspx.fds32.net
19117 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp40859746.wcmaloginea.aspx.knr57.biz
19117 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp18561442.wcmaloginea.aspx.mdq28.biz
19144 67.166.209.253(10) wcma.businesscenter.bcprivate.asp30395914.wcmaloginea.aspx.ucx43.us
19144 67.166.209.253(10) wcma.businesscenter.bcprivate.asp17048739.wcmaloginea.aspx.ucx43.us
19144 67.166.209.253(10) wcma.businesscenter.bcprivate.asp15474189.wcmaloginea.aspx.ucx43.us
19145 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp53567270.wcmaloginea.aspx.tms72.info
19145 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp69683557.wcmaloginea.aspx.ntr55.biz
19145 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp32809992.wcmaloginea.aspx.rfc92.info
19146 phish_is_down     wcma.businesscenter.bcprivate.asp53811061.wcmaloginea.aspx.rsf39.us
19146 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp95258794.wcmaloginea.aspx.gwy87.net
19146 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp81865619.wcmaloginea.aspx.knr57.biz
19147 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp77923633.wcmaloginea.aspx.ntr55.biz
19147 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp40485483.wcmaloginea.aspx.nbt68.us
19147 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp08549393.wcmaloginea.aspx.nbt68.us
19148 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp65897775.wcmaloginea.aspx.knr57.biz
19148 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp59158011.wcmaloginea.aspx.ind76.info
19148 58.39.68.70(10)   wcma.businesscenter.bcprivate.asp81110168.wcmaloginea.aspx.tms72.info
19149 85.105.182.6      hiring-id954472813.monster.com.noiptool.cn
19150 85.105.182.6      hiring-id19126492.monster.com.reer34.xz.cn
19151 85.105.182.6      hiring-id50042894.monster.com.girafa.hk
19152 85.105.182.6      hiring-id75393726.monster.com.111shtorm.cn

Domain registration info

   Phish domain         Registrar

111shtorm.cn    www.cnnic.net.cn        10/11/2007
ams76.us        REGISTER.COM            10/15/2007
fds32.net       REGISTER.COM            10/16/2007 (suspended)
fgt79.biz       REGISTER.COM            10/15/2007
girafa.hk       HKDNR                   10/16/2007
gwy87.net       REGISTER.COM            10/16/2007 (suspended)
ind76.info      REGISTER.COM            10/16/2007 (suspended)
knr57.biz       REGISTER.COM            10/16/2007 (suspended)
mdq28.biz       REGISTER.COM            10/16/2007 (suspended)
mnr37.us        REGISTER.COM            10/15/2007
nbt68.us        REGISTER.COM            10/16/2007 (suspended)
noiptool.cn     www.cnnic.net.cn        10/11/2007
ntr55.biz       REGISTER.COM            10/16/2007 (suspended)
portland5.xz.cn unknown                 10/15/2007? (cancelled)
reer34.xz.cn    unknown                 10/15/2007? (cancelled)
rfc92.info      REGISTER.COM            10/16/2007 (suspended)
rsf39.us        REGISTER.COM            10/16/2007 (suspended)
rtm64.info      REGISTER.COM            10/15/2007
tms72.info      REGISTER.COM            10/16/2007 (suspended)
ucx43.us        REGISTER.COM            10/16/2007
uip32.info      REGISTER.COM            10/15/2007


DNS server domain         Registrar

2ndzero.com     INFO AVENUE             10/06/2007
abc-tgc.com     REGISTER.COM            9/11/2007
bar-bar-com.com BIZCN.COM               9/18/2007 (cancelled)
bestlightyear.com REGISTER.COM          10/11/2007
dinovod.com     TODAYNIC.COM            10/16/2007
polo456.com     TODAYNIC.COM            9/17/2007
realtextonline.com INFO AVENUE          9/12/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-18 00:04:01 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 18, 2007

Again, there are 3 lines for each Merrill Lynch phish, due to 3 urls in the phish email. The registrar has suspended or cancelled the domains used for all Merrill Lynch phish.

Here is the report for Thursday:
19156 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp40496449.wcmaloginea.aspx.ucx43.us
19156 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp90452945.wcmaloginea.aspx.ucx43.us
19156 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp90860921.wcmaloginea.aspx.ucx43.us
19160 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp19200766.wcmaloginea.aspx.ucx43.us
19160 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp02133381.wcmaloginea.aspx.ucx43.us
19160 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp86684504.wcmaloginea.aspx.ucx43.us
19164 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp90444524.wcmaloginea.aspx.ojs73.com
19164 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp71993139.wcmaloginea.aspx.ojs73.com
19164 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp95310048.wcmaloginea.aspx.brd58.com
19165 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp03417610.wcmaloginea.aspx.gnw49.com
19165 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp47352096.wcmaloginea.aspx.dse43.com
19165 68.85.133.53(10)  wcma.businesscenter.bcprivate.asp82506613.wcmaloginea.aspx.gnw49.com
19168 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp56057309.wcmaloginea.aspx.trc43.net
19168 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp60357243.wcmaloginea.aspx.trc43.net
19168 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp91918864.wcmaloginea.aspx.lkh21.net
19170 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp47646814.wcmaloginea.aspx.dse43.com
19170 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp06142062.wcmaloginea.aspx.dse43.com
19170 24.7.36.14(10)    wcma.businesscenter.bcprivate.asp25829160.wcmaloginea.aspx.dse43.com
19175 81.181.175.39(10) wcma.businesscenter.bcprivate.asp69447226.wcmaloginea.aspx.gvs86.net
19175 81.181.175.39(10) wcma.businesscenter.bcprivate.asp23998546.wcmaloginea.aspx.qsr93.net
19175 81.181.175.39(10) wcma.businesscenter.bcprivate.asp83028608.wcmaloginea.aspx.gvs86.net
19190 NXDOMAIN          wcma.businesscenter.bcprivate.asp97243412.wcmaloginea.aspx.ucx43.us
19190 NXDOMAIN          wcma.businesscenter.bcprivate.asp84197879.wcmaloginea.aspx.ucx43.us
19190 NXDOMAIN          wcma.businesscenter.bcprivate.asp93590149.wcmaloginea.aspx.ucx43.us
19191 NXDOMAIN          wcma.businesscenter.bcprivate.asp56727378.wcmaloginea.aspx.dse43.com
19191 NXDOMAIN          wcma.businesscenter.bcprivate.asp50394519.wcmaloginea.aspx.dse43.com
19191 79.112.29.32(10)  wcma.businesscenter.bcprivate.asp95499647.wcmaloginea.aspx.gnw49.com
19192 85.105.182.6      hiring-id285268037.monster.com.orocin3.gx.cn
19193 dns_temp_fail     wcma.businesscenter.bcprivate.asp82618557.wcmaloginea.aspx.45gsd.com
19193 dns_temp_fail     wcma.businesscenter.bcprivate.asp57581352.wcmaloginea.aspx.45gsd.com
19193 dns_temp_fail     wcma.businesscenter.bcprivate.asp89601745.wcmaloginea.aspx.try42.com
19196 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp83216809.wcmaloginea.aspx.urd68.biz
19196 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp71285567.wcmaloginea.aspx.jda53.biz
19196 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp15432351.wcmaloginea.aspx.urd68.biz
19198 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp81267939.wcmaloginea.aspx.yfw79.biz
19198 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp49747275.wcmaloginea.aspx.jvq56.biz
19198 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp56242990.wcmaloginea.aspx.yfw79.biz
19199 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp02450253.wcmaloginea.aspx.trc43.net
19199 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp95897893.wcmaloginea.aspx.trc43.net
19199 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp72661895.wcmaloginea.aspx.lkh21.net
19200 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp09183779.wcmaloginea.aspx.gnw49.com
19200 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp65007058.wcmaloginea.aspx.gnw49.com
19200 79.178.21.85(10)  wcma.businesscenter.bcprivate.asp20191240.wcmaloginea.aspx.gnw49.com
19201 dns_temp_fail     wcma.businesscenter.bcprivate.asp08479329.wcmaloginea.aspx.ucx43.us
19201 dns_temp_fail     wcma.businesscenter.bcprivate.asp58819237.wcmaloginea.aspx.ucx43.us
19201 dns_temp_fail     wcma.businesscenter.bcprivate.asp80077091.wcmaloginea.aspx.ucx43.us

Domain registration info

   Phish domain         Registrar

45gsd.com       REGISTER.COM            10/18/2007 (suspended)
brd58.com       REGISTER.COM            10/17/2007 (cancelled)
dse43.com       REGISTER.COM            10/17/2007 (cancelled)
gnw49.com       REGISTER.COM            10/17/2007 (cancelled)
gvs86.net       unknown                 10/17/2007? (cancelled?)
jda53.biz       REGISTER.COM            10/17/2007 (suspended)
jvq56.biz       unknown                 10/17/2007? (cancelled?)
lkh21.net       REGISTER.COM            10/17/2007 (cancelled)
ojs73.com       REGISTER.COM            10/17/2007 (cancelled)
orocin3.gx.cn   www.cnnic.net.cn        10/17/2007
qsr93.net       unknown                 10/17/2007? (cancelled?)
trc43.net       REGISTER.COM            10/17/2007 (cancelled)
try42.com       REGISTER.COM            10/18/2007 (suspended)
ucx43.us        REGISTER.COM            10/16/2007 (cancelled)
urd68.biz       REGISTER.COM            10/17/2007 (suspended)
yfw79.biz       unknown                 10/17/2007? (cancelled?)


DNS server domain         Registrar

bar-bar-com.com BIZCN.COM               9/18/2007 (cancelled)
bestlightyear.com REGISTER.COM          10/11/2007
ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007
lo1-prt.com     BIZCN.COM               9/05/2007 (cancelled)
mbhold.com      REGISTER.COM            10/04/2007 (suspended)


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-19 00:02:23 ·

MGD
Premium,MVM
join:2002-07-31
kudos:9

Wow !!
They have taken a definite liking to REGISTER.COM as of late.

MGD

to forum · permalink · 2007-10-19 19:33:11 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

As best I can tell, there have been different teams at work here. I see plenty of evidence that they are part of the same larger group, though I cannot definitively prove that. The team that is interested in ACH access and Merrill Lynch has a preference for REGISTER.COM and Domain Discreet. The team that does the more routine phishes tends to try different registrars until they wear out their welcome. At present the ACH team is the one preparing the phishes, and the other team seems to be taking a break (or plotting something).

I'm guessing that somebody from Merrill Lynch got on the phone to REGISTER.COM. I have never before seen then take down sites this quickly.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5

to forum · permalink · 2007-10-19 19:45:55 ·


UncleScooter
Bubbles, I like Bubbles
Premium
join:2002-04-15
Tallahassee, FL

"I'm guessing that somebody from Merrill Lynch got on the phone to REGISTER.COM. I have never before seen then take down sites this quickly."

Now THAT is one conversation I would've loved to listen in on!
--
I know you think you understand what you thought I said, but what I'm not sure about is that what you heard isn't exactly what I meant.

to forum · permalink · 2007-10-19 19:54:15 ·

MGD
Premium,MVM
join:2002-07-31
kudos:9

reply to nwrickert

said by nwrickert:

....The team that is interested in ACH access and Merrill Lynch has a preference for REGISTER.COM and Domain Discreet. The team that does the more routine phishes tends to try different registrars until they wear out their welcome. .....
Very interesting, ... plus register could almost write a script to filter out rockphish domains at enrollment time, creatures of habit. I cannot see that a lot of legit domains get registered 3 letter 2 digits or vice versa, a la "lkh21". I did notice that the ach crew are going for volume in an attempt to override the lack of domain stamina.

MGD
to forum · permalink · 2007-10-19 21:36:20 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

reply to nwrickert

Rock phish report Oct 19, 2007

The Friday report:
19214 NXDOMAIN          wcma.businesscenter.bcprivate.asp65638272.wcmaloginea.aspx.lkh21.net
19214 NXDOMAIN          wcma.businesscenter.bcprivate.asp69771795.wcmaloginea.aspx.lkh21.net
19214 NXDOMAIN          wcma.businesscenter.bcprivate.asp88642153.wcmaloginea.aspx.trc43.net
19215 NXDOMAIN          wcma.businesscenter.bcprivate.asp74202269.wcmaloginea.aspx.rty73.com
19215 NXDOMAIN          wcma.businesscenter.bcprivate.asp93913154.wcmaloginea.aspx.56ub.com
19215 NXDOMAIN          wcma.businesscenter.bcprivate.asp38257002.wcmaloginea.aspx.rty73.com
19216 NXDOMAIN          wcma.businesscenter.bcprivate.asp35760165.wcmaloginea.aspx.yzc93.com
19216 NXDOMAIN          wcma.businesscenter.bcprivate.asp76086634.wcmaloginea.aspx.bsr54.com
19216 NXDOMAIN          wcma.businesscenter.bcprivate.asp74877118.wcmaloginea.aspx.yzc93.com
19217 NXDOMAIN          wcma.businesscenter.bcprivate.asp56941779.wcmaloginea.aspx.fds32.net
19217 NXDOMAIN          wcma.businesscenter.bcprivate.asp49881988.wcmaloginea.aspx.ind76.info
19217 NXDOMAIN          wcma.businesscenter.bcprivate.asp45089690.wcmaloginea.aspx.rsf39.us
19218 209.85.51.238     wcma.businesscenter.bcprivate.asp91310461.wcmaloginea.aspx.bnt43.net
19218 NXDOMAIN          wcma.businesscenter.bcprivate.asp34449899.wcmaloginea.aspx.gfa53.info
19218 NXDOMAIN          wcma.businesscenter.bcprivate.asp56073629.wcmaloginea.aspx.gwy87.net
19219 NXDOMAIN          wcma.businesscenter.bcprivate.asp30958731.wcmaloginea.aspx.yfw79.biz
19219 NXDOMAIN          wcma.businesscenter.bcprivate.asp33627406.wcmaloginea.aspx.yfw79.biz
19219 NXDOMAIN          wcma.businesscenter.bcprivate.asp72602590.wcmaloginea.aspx.yfw79.biz
19220 dns_temp_fail     wcma.businesscenter.bcprivate.asp81251426.wcmaloginea.aspx.uj99.com
19220 NXDOMAIN          wcma.businesscenter.bcprivate.asp55090847.wcmaloginea.aspx.xsw432.org
19220 dns_temp_fail     wcma.businesscenter.bcprivate.asp66706690.wcmaloginea.aspx.bgt55.com
19221 NXDOMAIN          wcma.businesscenter.bcprivate.asp74248908.wcmaloginea.aspx.nd7.biz
19221 NXDOMAIN          wcma.businesscenter.bcprivate.asp52323022.wcmaloginea.aspx.vbp6.net
19221 NXDOMAIN          wcma.businesscenter.bcprivate.asp84823485.wcmaloginea.aspx.nd7.biz
19222 NXDOMAIN          securelogin-79397538.moneymanagergps.com.bfg65.com
19223 dns_temp_fail     e-access92890160.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.dft38.us
19224 NXDOMAIN          e-access15471264.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.skt32.com
19225 dns_temp_fail     e-access25729284.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.uip32.info
19226 NXDOMAIN          e-access76836132.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.fgt79.biz
19227 dns_temp_fail     securelogin-04988390.moneymanagergps.com.jus83.com
19228 dns_temp_fail     securelogin-33382068.moneymanagergps.com.hds76.com
19230 NXDOMAIN          wcma.businesscenter.bcprivate.asp49984519.wcmaloginea.aspx.vfd12.com
19230 dns_temp_fail     wcma.businesscenter.bcprivate.asp95331148.wcmaloginea.aspx.7hj5.com
19230 dns_temp_fail     wcma.businesscenter.bcprivate.asp13443823.wcmaloginea.aspx.7hj5.com
19231 NXDOMAIN          wcma.businesscenter.bcprivate.asp97524783.wcmaloginea.aspx.dvz8.net
19231 NXDOMAIN          wcma.businesscenter.bcprivate.asp36835929.wcmaloginea.aspx.hnw21.net
19231 NXDOMAIN          wcma.businesscenter.bcprivate.asp42349270.wcmaloginea.aspx.mni43.com
19249 78.96.29.20(10)   wcma.businesscenter.bcprivate.asp25082254.wcmaloginea.aspx.ljs83.com
19249 78.96.29.20(10)   wcma.businesscenter.bcprivate.asp57895560.wcmaloginea.aspx.fsp68.com
19249 78.96.29.20(10)   wcma.businesscenter.bcprivate.asp42611204.wcmaloginea.aspx.fsp68.com
19254 79.178.254.190(10) wcma.businesscenter.bcprivate.asp02776420.wcmaloginea.aspx.ll32.com
19254 NXDOMAIN          wcma.businesscenter.bcprivate.asp51259149.wcmaloginea.aspx.ll322.com
19254 NXDOMAIN          wcma.businesscenter.bcprivate.asp56203485.wcmaloginea.aspx.ll789.com
19255 NXDOMAIN          wcma.businesscenter.bcprivate.asp91721162.wcmaloginea.aspx.lp9.info
19255 NXDOMAIN          wcma.businesscenter.bcprivate.asp14416697.wcmaloginea.aspx.ke4.info
19255 NXDOMAIN          wcma.businesscenter.bcprivate.asp16068590.wcmaloginea.aspx.ke4.info
19257 NXDOMAIN          hiring-id56080375.monster.com.hrenov4.gz.cn
19258 NXDOMAIN          wcma.businesscenter.bcprivate.asp57240314.wcmaloginea.aspx.uiuyt6.com
19258 NXDOMAIN          wcma.businesscenter.bcprivate.asp05757664.wcmaloginea.aspx.uiuyt6.com
19258 NXDOMAIN          wcma.businesscenter.bcprivate.asp02448610.wcmaloginea.aspx.uiuyt6.com
19259 NXDOMAIN          hiring-id59592.monster.com.mailop5.xz.cn
19260 NXDOMAIN          hiring-id005437368.monster.com.g5oo5liv.xz.cn
19265 dns_temp_fail     e-access23459193.compassbank.com.ibscompass.cmserver.welcome.default.verify.cfm.trf54.biz
19266 dns_temp_fail     securelogin-57598628.moneymanagergps.com.fks18.com
19268 phish_is_down     wcma.businesscenter.bcprivate.asp31142919.wcmaloginea.aspx.dse43.com
19268 phish_is_down     wcma.businesscenter.bcprivate.asp70968119.wcmaloginea.aspx.dse43.com
19268 phish_is_down     wcma.businesscenter.bcprivate.asp15396532.wcmaloginea.aspx.dse43.com

Domain registration info

   Phish domain         Registrar

56ub.com        REGISTER.COM            10/18/2007 (suspended)
7hj5.com        REGISTER.COM            10/18/2007 (suspended)
bfg65.com       REGISTER.COM            10/14/2007
bgt55.com       REGISTER.COM            10/18/2007 (suspended)
bnt43.net       ULTRARPM                10/18/2007
bsr54.com       unknown                 10/16/2007? (cancelled?)
dft38.us        REGISTER.COM            10/15/2007
dse43.com       REGISTER.COM            10/17/2007 (cancelled)
dvz8.net        unknown                 10/18/2007? (cancelled?)
fds32.net       REGISTER.COM            10/16/2007 (suspended)
fgt79.biz       REGISTER.COM            10/15/2007
fks18.com       REGISTER.COM            10/14/2007
fsp68.com       REGISTER.COM            10/19/2007
g5oo5liv.xz.cn  unknown                 10/18/2007? (cancelled?)
gfa53.info      unknown                 10/16/2007? (cancelled?)
gwy87.net       REGISTER.COM            10/16/2007 (suspended)
hds76.com       REGISTER.COM            10/14/2007
hnw21.net       unknown                 10/18/2007? (cancelled?)
hrenov4.gz.cn   unknown                 10/18/2007? (cancelled?)
ind76.info      REGISTER.COM            10/16/2007 (suspended)
jus83.com       REGISTER.COM            10/14/2007
ke4.info        unknown                 10/18/2007? (cancelled?)
ljs83.com       REGISTER.COM            10/19/2007
lkh21.net       REGISTER.COM            10/17/2007 (cancelled)
ll322.com       REGISTER.COM            10/19/2007 (suspended)
ll32.com        REGISTER.COM            10/19/2007
ll789.com       REGISTER.COM            10/19/2007 (suspended)
lp9.info        unknown                 10/18/2007? (cancelled?)
mailop5.xz.cn   unknown                 10/18/2007? (cancelled?)
mni43.com       unknown                 10/18/2007? (cancelled?)
nd7.biz         unknown                 10/18/2007? (cancelled?)
rsf39.us        REGISTER.COM            10/16/2007 (suspended)
rty73.com       REGISTER.COM            10/18/2007 (suspended)
skt32.com       REGISTER.COM            10/15/2007 (suspended)
trc43.net       REGISTER.COM            10/17/2007 (cancelled)
trf54.biz       REGISTER.COM            10/15/2007
uip32.info      REGISTER.COM            10/15/2007
uiuyt6.com      unknown                 10/18/2007? (cancelled?)
uj99.com        REGISTER.COM            10/18/2007 (suspended)
vbp6.net        unknown                 10/18/2007? (cancelled?)
vfd12.com       unknown                 10/18/2007? (cancelled?)
xsw432.org      unknown                 10/18/2007? (cancelled?)
yfw79.biz       unknown                 10/17/2007? (cancelled?)
yzc93.com       unknown                 10/16/2007? (cancelled?)


DNS server domain         Registrar

2ndzero.com     INFO AVENUE             10/06/2007
abc-tgc.com     REGISTER.COM            9/11/2007 (suspended)
bestlightyear.com REGISTER.COM          10/11/2007 (suspended)
plugininput.com INFO AVENUE             10/02/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-20 00:03:19 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 20, 2007

The Saturday report:
19275 NXDOMAIN          wcma.businesscenter.bcprivate.asp63226423.wcmaloginea.aspx.ljs83.com
19275 NXDOMAIN          wcma.businesscenter.bcprivate.asp86372720.wcmaloginea.aspx.ll882.com
19275 NXDOMAIN          wcma.businesscenter.bcprivate.asp51588672.wcmaloginea.aspx.ll789.com
19276 NXDOMAIN          wcma.businesscenter.bcprivate.asp66137406.wcmaloginea.aspx.vnp91.com
19276 NXDOMAIN          wcma.businesscenter.bcprivate.asp98332883.wcmaloginea.aspx.skq54.com
19276 NXDOMAIN          wcma.businesscenter.bcprivate.asp64174883.wcmaloginea.aspx.hds54.com
19285 221.12.43.189     hiring-id93941382.monster.com.kcfiiwere.es
19286 221.12.43.189     hiring-id3648331442.monster.com.esbeyon1d.gz.cn
19288 221.12.43.189     hiring-id7076176106.monster.com.kiier1.li
19289 221.12.43.189     hiring-id835259115.monster.com.koowershop.at
19290 221.12.43.189     hiring-id621957.monster.com.ko5el6.hk
19291 NXDOMAIN          wcma.businesscenter.bcprivate.asp83941908.wcmaloginea.aspx.ll32.com
19291 NXDOMAIN          wcma.businesscenter.bcprivate.asp70669026.wcmaloginea.aspx.ll32.com
19291 NXDOMAIN          wcma.businesscenter.bcprivate.asp41591555.wcmaloginea.aspx.ll32.com

Domain registration info

   Phish domain         Registrar

esbeyon1d.gz.cn www.cnnic.net.cn        10/11/2007
hds54.com       REGISTER.COM            10/19/2007 (suspended)
kcfiiwere.es    www.nic.es              10/19/2007?
kiier1.li       www.switch.ch           10/19/2007?
ko5el6.hk       HKDNR                   10/20/2007
koowershop.at   AT-DOM                  10/20/2007? (suspended)
ljs83.com       REGISTER.COM            10/19/2007 (suspended)
ll32.com        REGISTER.COM            10/19/2007 (suspended)
ll789.com       REGISTER.COM            10/19/2007 (suspended)
ll882.com       REGISTER.COM            10/19/2007 (suspended)
skq54.com       REGISTER.COM            10/19/2007 (suspended)
vnp91.com       REGISTER.COM            10/19/2007 (suspended)


DNS server domain         Registrar

bar-bar-com.com BIZCN.COM               9/18/2007 (cancelled)
vilopr.cn       www.cnnic.net.cn        8/16/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-20 23:52:19 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
1 edit

Rock phish report Oct 22, 2007

There were no rock phish submitted yesterday (Sunday).

Here is the report for Monday:
19319 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp96162728.wcmaloginea.aspx.ocs2.com
19319 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp92723311.wcmaloginea.aspx.ocs2.com
19319 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp67183848.wcmaloginea.aspx.bbsq1.com
19321 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp08997928.wcmaloginea.aspx.dvu8.com
19321 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp17088423.wcmaloginea.aspx.dvu8.com
19321 79.113.80.78(10)  wcma.businesscenter.bcprivate.asp90912488.wcmaloginea.aspx.dvu8.com
19322 NXDOMAIN          wcma.businesscenter.bcprivate.asp79436580.wcmaloginea.aspx.c1j1.com
19322 NXDOMAIN          wcma.businesscenter.bcprivate.asp36498144.wcmaloginea.aspx.3l24.com
19322 NXDOMAIN          wcma.businesscenter.bcprivate.asp85724920.wcmaloginea.aspx.3l24.com
19325 NXDOMAIN          wcma.businesscenter.bcprivate.asp01250590.wcmaloginea.aspx.c1j1.com
19325 NXDOMAIN          wcma.businesscenter.bcprivate.asp82531809.wcmaloginea.aspx.3l24.com
19325 NXDOMAIN          wcma.businesscenter.bcprivate.asp29011317.wcmaloginea.aspx.3l24.com
19331 NXDOMAIN          wcma.businesscenter.bcprivate.asp33829591.wcmaloginea.aspx.enn1.com
19331 NXDOMAIN          wcma.businesscenter.bcprivate.asp08367569.wcmaloginea.aspx.mol11.com
19331 NXDOMAIN          wcma.businesscenter.bcprivate.asp62333855.wcmaloginea.aspx.mol11.com
19332 79.113.46.37(10)  wcma.businesscenter.bcprivate.asp44049753.wcmaloginea.aspx.vfr331.com
19332 79.113.46.37(10)  wcma.businesscenter.bcprivate.asp35765070.wcmaloginea.aspx.vfr331.com
19332 NXDOMAIN          wcma.businesscenter.bcprivate.asp45414394.wcmaloginea.aspx.87ud.com
19334 NXDOMAIN          hiring-id191684.monster.com.kiier1.ch
19335 NXDOMAIN          wcma.businesscenter.bcprivate.asp05037261.wcmaloginea.aspx.3l24.com
19335 NXDOMAIN          wcma.businesscenter.bcprivate.asp81936321.wcmaloginea.aspx.3l24.com
19335 NXDOMAIN          wcma.businesscenter.bcprivate.asp65753533.wcmaloginea.aspx.c1j1.com
19336 NXDOMAIN          wcma.businesscenter.bcprivate.asp99588860.wcmaloginea.aspx.mol11.com
19336 NXDOMAIN          wcma.businesscenter.bcprivate.asp62796565.wcmaloginea.aspx.enn1.com
19336 NXDOMAIN          wcma.businesscenter.bcprivate.asp36099670.wcmaloginea.aspx.enn1.com
19337 NXDOMAIN          wcma.businesscenter.bcprivate.asp82367874.wcmaloginea.aspx.bbsq1.com
19337 NXDOMAIN          wcma.businesscenter.bcprivate.asp29190574.wcmaloginea.aspx.bbsq1.com
19337 NXDOMAIN          wcma.businesscenter.bcprivate.asp06915539.wcmaloginea.aspx.bbsq1.com
19338 NXDOMAIN          wcma.businesscenter.bcprivate.asp89076344.wcmaloginea.aspx.c1j1.com
19338 NXDOMAIN          wcma.businesscenter.bcprivate.asp90843953.wcmaloginea.aspx.3l24.com
19338 NXDOMAIN          wcma.businesscenter.bcprivate.asp47397786.wcmaloginea.aspx.3l24.com
19339 NXDOMAIN          wcma.businesscenter.bcprivate.asp57726813.wcmaloginea.aspx.dres61.com
19339 NXDOMAIN          wcma.businesscenter.bcprivate.asp80727722.wcmaloginea.aspx.ter34.com
19339 NXDOMAIN          wcma.businesscenter.bcprivate.asp50066458.wcmaloginea.aspx.ter34.com
19340 NXDOMAIN          wcma.businesscenter.bcprivate.asp85756140.wcmaloginea.aspx.dres61.com
19340 NXDOMAIN          wcma.businesscenter.bcprivate.asp30281181.wcmaloginea.aspx.dres61.com
19340 NXDOMAIN          wcma.businesscenter.bcprivate.asp72539443.wcmaloginea.aspx.dres61.com
19341 NXDOMAIN          wcma.businesscenter.bcprivate.asp04179987.wcmaloginea.aspx.vfr331.com
19341 NXDOMAIN          wcma.businesscenter.bcprivate.asp00099091.wcmaloginea.aspx.87ud.com
19341 NXDOMAIN          wcma.businesscenter.bcprivate.asp42744218.wcmaloginea.aspx.vfr331.com
19342 NXDOMAIN          wcma.businesscenter.bcprivate.asp77545532.wcmaloginea.aspx.vfr331.com
19342 NXDOMAIN          wcma.businesscenter.bcprivate.asp64323840.wcmaloginea.aspx.vfr331.com
19342 NXDOMAIN          wcma.businesscenter.bcprivate.asp79438433.wcmaloginea.aspx.vfr331.com
19343 NXDOMAIN          wcma.businesscenter.bcprivate.asp81097926.wcmaloginea.aspx.345tg.com
19343 NXDOMAIN          wcma.businesscenter.bcprivate.asp27246303.wcmaloginea.aspx.65rad.com
19343 NXDOMAIN          wcma.businesscenter.bcprivate.asp13760220.wcmaloginea.aspx.65rad.com
19349 NXDOMAIN          wcma.businesscenter.bcprivate.asp31845140.wcmaloginea.aspx.ter34.com
19349 NXDOMAIN          wcma.businesscenter.bcprivate.asp17217252.wcmaloginea.aspx.7iuhf.com
19349 NXDOMAIN          wcma.businesscenter.bcprivate.asp05091487.wcmaloginea.aspx.vfr331.com
19352 NXDOMAIN          wcma.businesscenter.bcprivate.asp78666988.wcmaloginea.aspx.vfr331.com
19352 NXDOMAIN          wcma.businesscenter.bcprivate.asp27331975.wcmaloginea.aspx.vfr331.com
19352 NXDOMAIN          wcma.businesscenter.bcprivate.asp21895736.wcmaloginea.aspx.ter34.com
19355 NXDOMAIN          wcma.businesscenter.bcprivate.asp80440829.wcmaloginea.aspx.vfr331.com
19355 NXDOMAIN          wcma.businesscenter.bcprivate.asp21633410.wcmaloginea.aspx.65rad.com
19355 NXDOMAIN          wcma.businesscenter.bcprivate.asp12415378.wcmaloginea.aspx.345tg.com
19356 NXDOMAIN          wcma.businesscenter.bcprivate.asp82535190.wcmaloginea.aspx.ter34.com
19356 NXDOMAIN          wcma.businesscenter.bcprivate.asp61235476.wcmaloginea.aspx.7iuhf.com
19356 NXDOMAIN          wcma.businesscenter.bcprivate.asp28186433.wcmaloginea.aspx.7iuhf.com
19357 NXDOMAIN          wcma.businesscenter.bcprivate.asp30988404.wcmaloginea.aspx.ter34.com
19357 NXDOMAIN          wcma.businesscenter.bcprivate.asp92769387.wcmaloginea.aspx.dres61.com
19357 NXDOMAIN          wcma.businesscenter.bcprivate.asp68011858.wcmaloginea.aspx.ter34.com

Domain registration info

   Phish domain         Registrar

345tg.com       REGISTER.COM            10/21/2007 (suspended)
3l24.com        REGISTER.COM            10/21/2007 (suspended)
65rad.com       REGISTER.COM            10/21/2007 (suspended)
7iuhf.com       REGISTER.COM            10/21/2007 (suspended)
87ud.com        REGISTER.COM            10/21/2007? (cancelled?)
bbsq1.com       REGISTER.COM            10/21/2007 (suspended)
c1j1.com        REGISTER.COM            10/21/2007 (suspended)
dres61.com      REGISTER.COM            10/21/2007 (suspended)
dvu8.com        REGISTER.COM            10/21/2007 (suspended)
enn1.com        REGISTER.COM            10/21/2007 (suspended)
kiier1.ch       www.switch.ch           10/19/2007? (suspended)
mol11.com       REGISTER.COM            10/21/2007 (suspended)
ocs2.com        REGISTER.COM            10/21/2007 (suspended)
ter34.com       REGISTER.COM            10/21/2007 (suspended)
vfr331.com      REGISTER.COM            10/21/2007 (suspended)


DNS server domain         Registrar

ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
to forum · permalink · 2007-10-22 23:55:12 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 23, 2007

The Tuesday report:
19370 79.178.50.93(10)  www.bxs.inview.session80438.certificate-logon2007.serial16885581-0009.sd323.com
19371 82.78.174.157(10) www.bxs.inview.session62444.certificate-logon2007.serial74577596-0006.ia244.net
19374 79.113.38.145(10) www.bxs.inview.session72983.certificate-logon2007.serial58623957-0001.ia244.net
19375 79.113.38.145(10) www.bxs.inview.session47999.certificate-logon2007.serial13424181-0007.ss69.us
19376 62.231.92.64(10)  www.bxs.inview.session73209.certificate-logon2007.serial14680419-0003.sd690.com
19377 62.231.92.64(10)  www.bxs.inview.session13536.certificate-logon2007.serial67001884-0004.ll780.com
19383 62.231.92.64(10)  www.bxs.inview.session20171.certificate-logon2007.serial08877253-0009.ll3311.com
19388 82.79.220.86(10)  www.bxs.inview.session55341.certificate-logon2007.serial44573923-0000.vc232.com
19398 77.81.24.92(10)   www.bxs.inview.session70460.certificate-logon2007.serial21494658-0005.ll2213.com
19400 77.81.24.92(10)   www.bxs.inview.session51181.certificate-logon2007.serial79733944-0007.fc986.us

Domain registration info

   Phish domain         Registrar

fc986.us        AMERICAN DOMAIN         10/22/2007
ia244.net       DOTALLIANCE             10/22/2007
ll2213.com      DOTALLIANCE             10/22/2007
ll3311.com      DOTALLIANCE             10/22/2007
ll780.com       DOTALLIANCE             10/22/2007
sd323.com       DOTALLIANCE             10/22/2007
sd690.com       DOTALLIANCE             10/22/2007
ss69.us         AMERICAN DOMAIN         10/22/2007
vc232.com       DOTALLIANCE             10/22/2007


DNS server domain         Registrar

ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-23 23:56:22 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 24, 2007

The Wednesday report:
19411 NXDOMAIN          www.bxs.inview.session33375.certificate-logon2007.serial42787625-0004.vc232.com
19412 NXDOMAIN          www.bxs.inview.session14220.certificate-logon2007.serial49951122-0008.fc986.us
19414 62.231.93.30(10)  paylinks.cunet.org.session-35782336.online.login.fde56.com
19415 dns_temp_fail     www.bxs.inview.session09121.certificate-logon2007.serial30704286-0009.dre43.com
19416 NXDOMAIN          www.bxs.inview.session20450.certificate-logon2007.serial08607559-0002.ll2213.com
19419 62.231.93.30(10)  paylinks.cunet.org.session-01579458.online.login.rjt27.com
19420 dns_temp_fail     www.bxs.inview.session73631.certificate-logon2007.serial62483158-0003.jdt53.com
19445 62.31.82.10(10)   paylinks.cunet.org.session-45615344.online.login.rmx54.com

Domain registration info

   Phish domain         Registrar

dre43.com       REGISTER.COM            10/21/2007
fc986.us        AMERICAN DOMAIN         10/22/2007 (cancelled)
fde56.com       REGISTER.COM            10/21/2007
jdt53.com       REGISTER.COM            10/21/2007
ll2213.com      DOTALLIANCE             10/22/2007
rjt27.com       REGISTER.COM            10/21/2007
rmx54.com       REGISTER.COM            10/21/2007
vc232.com       DOTALLIANCE             10/22/2007 (cancelled)


DNS server domain         Registrar

ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-24 23:50:47 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 25, 2007

The Thursday report:
19454 dns_temp_fail     paylinks.cunet.org.session-19484730.online.login.kmq72.com
19455 dns_temp_fail     paylinks.cunet.org.session-37109786.online.login.rjt27.com
19456 77.81.178.210(10) paylinks.cunet.org.session-27127480.online.login.rmx54.com
19459 77.81.178.210(10) paylinks.cunet.org.session-46612789.online.login.knq63.com
19460 dns_temp_fail     www.bxs.inview.session42514.certificate-logon2007.serial59097808-0008.ups38.com
19461 dns_temp_fail     paylinks.cunet.org.session-52785638.online.login.mhe78.com
19472 77.81.178.210(10) paylinks.cunet.org.session-06935981.online.login.hfd92.com
19476 77.81.178.210(10) paylinks.cunet.org.session-70672077.online.login.trs83.com
19477 79.113.17.171(10) paylinks.cunet.org.session-03301509.online.login.jkw69.com
19484 79.113.17.171(10) paylinks.cunet.org.session-62595172.online.login.x64s2.com
19485 77.81.178.210(10) paylinks.cunet.org.session-91315119.online.login.hfd92.com
19486 77.81.178.210(10) paylinks.cunet.org.session-06996619.online.login.x64s2.com
19493 dns_temp_fail     paylinks.cunet.org.session-30587029.online.login.f0ge3.com
19494 dns_temp_fail     paylinks.cunet.org.session-65216533.online.login.f0ge3.com

Domain registration info

   Phish domain         Registrar

f0ge3.com       REGISTER.COM            10/25/2007
hfd92.com       REGISTER.COM            10/24/2007
jkw69.com       REGISTER.COM            10/24/2007
kmq72.com       REGISTER.COM            10/21/2007
knq63.com       REGISTER.COM            10/21/2007
mhe78.com       REGISTER.COM            10/21/2007
rjt27.com       REGISTER.COM            10/21/2007
rmx54.com       REGISTER.COM            10/21/2007
trs83.com       REGISTER.COM            10/24/2007
ups38.com       REGISTER.COM            10/21/2007
x64s2.com       REGISTER.COM            10/25/2007


DNS server domain         Registrar

ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-25 23:59:37 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Rock phish report Oct 26, 2007

The Friday report:
19497 79.113.32.146(10) paylinks.cunet.org.session-87440991.online.login.oqs57.com
19498 77.81.178.210(10) paylinks.cunet.org.session-36945057.online.login.f0ge3.com
19499 77.81.178.210(10) paylinks.cunet.org.session-35735529.online.login.f0ge3.com
19506 77.81.178.210(10) paylinks.cunet.org.session-48568170.online.login.f0ge3.com
19513 79.113.3.67(10)   paylinks.cunet.org.session-90628632.online.login.f0ge3.com
19515 77.81.178.210(10) paylinks.cunet.org.session-66766302.online.login.f0ge3.com
19516 77.81.178.210(10) paylinks.cunet.org.session-15686101.online.login.f0ge3.com
19525 79.113.32.146(10) paylinks.cunet.org.session-30095688.online.login.f0ge3.com
19537 NXDOMAIN          paylinks.cunet.org.session-82869681.online.login.nm2w.com
19538 NXDOMAIN          paylinks.cunet.org.session-21135992.online.login.f0ge3.com
19539 64.131.251.173    paylinks.cunet.org.session-25677162.online.login.h53ds.com
19541 NXDOMAIN          paylinks.cunet.org.session-64972147.online.login.de22s.com
19544 phish_is_down     paylinks.cunet.org.session-14459486.online.login.knq63.com
19545 NXDOMAIN          paylinks.cunet.org.session-13473275.online.login.pmj55.com
19546 phish_is_down     securelogin-01553964.moneymanagergps.com.dfv92.com
19547 phish_is_down     securelogin-41906773.moneymanagergps.com.ref39.com
19548 phish_is_down     securelogin-03788828.moneymanagergps.com.dfv92.com
19549 NXDOMAIN          www.bxs.inview.session65924.certificate-logon2007.serial80346112-0009.fdg31.com
19550 NXDOMAIN          www.bxs.inview.session73352.certificate-logon2007.serial38985879-0005.jdt53.com
19551 NXDOMAIN          www.bxs.inview.session11734.certificate-logon2007.serial70378871-0003.fc986.us
19552 NXDOMAIN          www.bxs.inview.session64720.certificate-logon2007.serial92649081-0003.we698.com
19553 phish_is_down     www.bxs.inview.session95671.certificate-logon2007.serial27905238-0002.fd3452.com
19554 NXDOMAIN          www.bxs.inview.session20901.certificate-logon2007.serial15396855-0007.sd690.com
19556 phish_is_down     www.bxs.inview.session80522.certificate-logon2007.serial48263574-0001.fs680.net
19557 phish_is_down     www.bxs.inview.session85868.certificate-logon2007.serial73755573-0005.ll534.com
19558 NXDOMAIN          www.bxs.inview.session10777.certificate-logon2007.serial60483395-0006.sd323.com
19559 NXDOMAIN          www.bxs.inview.session27641.certificate-logon2007.serial94083528-0007.sd323.com
19560 phish_is_down     www.bxs.inview.session20684.certificate-logon2007.serial38714949-0002.ll3311.com
19561 phish_is_down     www.bxs.inview.session35880.certificate-logon2007.serial39185014-0004.ll691.com

Domain registration info

   Phish domain         Registrar

de22s.com       unknown                 10/24/2007? (cancelled?)
dfv92.com       REGISTER.COM            10/21/2007
f0ge3.com       REGISTER.COM            10/25/2007 (suspended)
fc986.us        AMERICAN DOMAIN         10/22/2007 (cancelled)
fd3452.com      unknown                 10/22/2007? (parked)
fdg31.com       unknown                 10/31/2007? (cancelled?)
fs680.net       unknown                 10/22/2007? (parked)
h53ds.com       REGISTER.COM            10/25/2007
jdt53.com       REGISTER.COM            10/21/2007
knq63.com       REGISTER.COM            10/21/2007
ll3311.com      DOTALLIANCE             10/22/2007 (parked)
ll534.com       unknown                 10/22/2007? (parked)
ll691.com       unknown                 10/22/2007? (parked)
nm2w.com        REGISTER.COM            10/25/2007 (suspended)
oqs57.com       REGISTER.COM            10/24/2007 (cancelled)
pmj55.com       unknown                 10/23/2007? (cancelled?)
ref39.com       REGISTER.COM            10/21/2007
sd323.com       DOTALLIANCE             10/22/2007 (parked)
sd690.com       DOTALLIANCE             10/22/2007 (cancelled)
we698.com       unknown                 10/24/2007? (cancelled?)


DNS server domain         Registrar

ebigstep.com    INFO AVENUE             9/27/2007
goldbigstar.com INFO AVENUE             10/06/2007


--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-27 01:10:01 ·


antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
kudos:2
Reviews:
·PenTeleData
·ProLog

reply to nwrickert

Re: Rock phish information - continued

I see a much bigger problem with phishing sites using 'Fast-Flux' on both their A NAMES ( with low TTL) and Name Server locations which in my opinion is the best way to shut down these fraudulent sites
»spamtrackers.eu/wiki/index.php?t···ast-flux

---------------------------------

Who or What Is 'Rock Phish' and Why Should You Care?
Security experts believe that the entity or people behind Rock Phish are the rock stars/innovators of most new evil phishing scams.
Robert McMillan, IDG News Service
Tuesday, December 12, 2006 5:00 PM PST

SAN FRANCISCO -- The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.

Wikipedia defines the Rock Phish Kit as "a popular tool designed to help nontechnical people create and carry out phishing attacks," but according to security experts, that definition is not correct.

They say that Rock Phish is actually a person, or perhaps a group of people, responsible for as much as one-half of the phishing attacks being carried out these days.

Why should you care? Phishers try to trick Internet users into divulging sensitive information on phony Web pages made up to look like a bank site or an on-line shopping site. It's a type of attack that is becoming very lucrative. Research firm Gartner estimates that phishers will cost U.S. businesses and consumers a whopping $2.8 billion this year. The average take: $1244 per victim.
»www.pcworld.com/article/id,12817···cle.html

---------------------------------

Rock Phish May Be Using Fast Flux in Phishing Attacks
Security researchers believe Rock Phish is behind as many as one-half of all phishing attacks on the Web.
Elizabeth Montalbano, IDG News Service

The elusive "Rock Phish" group continues to be innovative. The group appears to have started using the so-called "fast flux" method to fool researchers and elude detection, according to new security research.

Cambridge University security researchers Richard Clayton and Tyler Moore tracked 30,000 phishing reports that came in through Phish Tank, a clearing house that tracks phishing sites, between February and April 2007. They found a link between Rock Phish and the fast flux approach.

The researchers logged their findings, among other things, in a paper, "Examining the Impact of Website Takedown on Phishing," that computer science PhD candidate Moore presented at the Anti-Phishing Work Group (APWG) eCrime Researchers Summit in Pittsburgh Thursday.

Nobody knows exactly who or what Rock Phish are -- whether it's one person or a group of people -- but security researchers believe Rock Phish is behind as many as one-half of all phishing attacks on the Web. Fast flux is a method by which a domain name that phishers use has multiple IP (Internet Protocol) addresses assigned to it. The phishers switch those domains quickly between the addresses so that it's not as easy to find or shut down the phishing sites.

With fast flux, once a phishing site is found, it's not simply a matter of going to Internet service provider hosting the domain name to shut down the site; authorities must go to the domain name registrar, which is more time consuming and complex, Moore said.
»www.pcworld.com/article/id,13807···cle.html
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
»dundermifflininfinity.com
to forum · permalink · 2007-10-27 11:07:58 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

The domain registration system is a big part of the problem.

In my experience, domain registrars are slow to shut down the domains used for the phish DNS servers. Glue records are also a problem. Rockphish were registering new domains using DNS servers in the domain "bar-bar-com.com" for a month after "bar-bar-com.com" was shut down. And this worked because the glue records remained in place. Try a lookup for "t1.bar-bar-com.com", and you will find that it still exists as a glue record.

Here are my suggestions to domain registrars:

  • When a domain is registered, the registrar should offer free DNS for that domain;

  • For a new customer, the registrar should insist that only the registrar's DNS server be used. Until that customer has been with them for 3 months, and all payment checks have cleared, and there have been no chargebacks on credit card bills, they should not be allowed to run their own DNS server for the domain;

  • DNS changes for the domain should be handled manually by the registrar, and not by some online tool, until that 3 months is up.

--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-27 11:50:12 ·


antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
kudos:2
Reviews:
·PenTeleData
·ProLog

said by nwrickert:

Rockphish were registering new domains using DNS servers in the domain "bar-bar-com.com" for a month after "bar-bar-com.com" was shut down. And this worked because the glue records remained in place. Try a lookup for "t1.bar-bar-com.com", and you will find that it still exists as a glue record.

•For a new customer, the registrar should insist that only the registrar's DNS server be used. Until that customer has been with them for 3 months, and all payment checks have cleared, and there have been no chargebacks on credit card bills, they should not be allowed to run their own DNS server for the domain;
•DNS changes for the domain should be handled manually by the registrar, and not by some online tool, until that 3 months is up.
Searching for t1.bar-bar-com.com NS record at h.root-servers.net [128.63.2.53]: Got referral to m.gtld-servers.net. (zone: com.) [took 42 ms]
Searching for t1.bar-bar-com.com NS record at m.gtld-servers.net. [192.55.83.30]: Reports that no NS records exist. [took 234 ms] Response: No NS records exist for t1.bar-bar-com.com. [Neg TTL=900 seconds] Details: m.gtld-servers.net. (an authoritative nameserver for com.) says that there are no NS records for t1.bar-bar-com.com. The E-mail address in charge of the com. zone is: nstld@verisign-grs.com.

--------------------------

I highly don't agree with your idea of having a probational period for domain name registration, especially being tied down to the registers name servers. Years ago Network Solutions used to be a pain in the a$$ getting your domain name off their name servers. This is when you use to have to use Network Solutions template system to verify who you where, so that you didn't get your domain name hijacked.

If you pay for a domain name registration , you should be able to do whatever you what with it, from day one without
going through a lot of hassle to make changes.

If you are tied down to a certain register /nameserver for three months, and they are not reliable enough, should you
deal with it for ninety days. I wouldn't
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
»dundermifflininfinity.com
to forum · permalink · 2007-10-27 12:25:21 ·


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Response: No NS records exist for t1.bar-bar-com.com.
Quite right. However, an A record exists
t1.bar-bar-com.com.     172800  IN      A       200.72.139.67

And that A record (the old glue record) is enough to use t1.bar-bar-com.com as a nameserver for your botnet, provided you still own 200.72.139.67.
I highly don't agree with your idea of having a probational period for domain name registration, especially being tied down to the registers name servers.
Remember that this would only be for new customers. It would not apply to new domains for established customers. And maybe it wouldn't apply if you pay a personal visit to the registrar's office (or the office of one of their agents), and prove your identity. The cybercriminals are registering new domains under stolen identities and paying for them with stolen credit cards. And something needs to be done to make that more difficult.

--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8
to forum · permalink · 2007-10-27 13:21:58 ·


antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
kudos:2
Reviews:
·PenTeleData
·ProLog

said by nwrickert:

Response: No NS records exist for t1.bar-bar-com.com.
Quite right. However, an A record exists
t1.bar-bar-com.com.     172800  IN      A       200.72.139.67

And that A record (the old glue record) is enough to use t1.bar-bar-com.com as a nameserver for your botnet, provided you still own 200.72.139.67.
I highly don't agree with your idea of having a probational period for domain name registration, especially being tied down to the registers name servers.
Remember that this would only be for new customers. It would not apply to new domains for established customers. And maybe it wouldn't apply if you pay a personal visit to the registrar's office (or the office of one of their agents), and prove your identity. The cybercriminals are registering new domains under stolen identities and paying for them with stolen credit cards. And something needs to be done to make that more difficult.

Damn this forum post keeps locking up my Firefox browser asking me if I want to " Stop the Script"

If I was a new customer registering a new DN, I wouldn't want some internet company telling me that I couldn't move a domain name to another register or nameserver.

It shouldn't be that Internet users should have to suffer because of scum who perpetrate fraudulent activity.

--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
»dundermifflininfinity.com
to forum · permalink · 2007-10-27 20:33:10 ·

MGD
Premium,MVM
join:2002-07-31
kudos:9

reply to antiphishing

said by antiphishing:

......I highly don't agree with your idea of having a probational period for domain name registration,.............

If you pay for a domain name registration , you should be able to do whatever you what with it, from day one without
going through a lot of hassle to make changes.......
But that is the inherent problem, phishers do not pay for domain registrations, they used previous phish victims card data to pay for it. Registrars appear to be unwilling or unable to address that issue. It may take anywhere from 5 to 30 days for the charge to be rejected and charged back as fraudulent. In the interim the phisher has had full use of the fraudulent domain registration. In fact even if they only have use of it for a few days it more than fills their need.

Phishers have multi million phish mailings ready to go, and within minutes of the domain being registered the run is underway. Phishers achieve a maximun response rate within 24 to 48 hours, that is all the time they need. So an entire cyber criminal enterprise has been operating within these parameters for quiet some time now.

nwrickert See Profile's recommendations are a few methods that registrars could enact to filter the fraud up front and prevent the phishers from basically obtaining free registration at will.

It is not rocket science either, for almost a year the .cn registrar apparently was not phased by the fact that an Jane Doe, from Kentucky in the USA was constantly registering China domains in the format xyzabc.cn which instantly became phishing sites. That unique pattern of repeated domain registration could have easily been stopped. Ultimately they are not going to be paid for them anyway.

It took an enormous amount of pressure to get the registrar to respond to the fraud domains. TheRockphisher was able to park himself at the registrar and repeat this process over and over for months.

ICANN has not helped the situation with fraud domains either. Their enacting of the 5 day domain tasting rule only aggravated this problem.
to forum · permalink · 2007-10-29 14:31:46 ·
Forums > Broadband Tech > Security > Scam and Phishbusters
page: 1 · 2 · 3 · 4 · 5 · 6 · 7 · 8 ... 21 · 22 · 23

Tuesday, 29-May 07:24:55 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics