how-to block ads
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Dennis
Re: [Phish] Google adwords phish "please udpate your billing inf
said by Dennis  :Got this today...looks like a pretty targeted scam to me. ...... Indeed, and a harder group to phish too, not your typical mom & pop phishing.
Did not last long either:
Lookup Failed. No IP address or host name
Ping
[r4oik.cn]
Bad destination
whois query for r4oik.cn...
Results returned from whois.cnnic.net.cn:
Domain Name: r4oik.cn
ROID: 20080321s10001s58333121-cn
Domain Status: ok
Registrant Organization: gfdthy
Registrant Name: hrthhtfhrth
Administrative Email: hfgdhf@nfrujhn.cn
Sponsoring Registrar: ????????????
Name Server:ns1.borxl.com
Name Server:ns2.borxl.com
Registration Date: 2008-03-21 04:12
Expiration Date: 2009-03-21 04:12
It may come back up hosted elsewhere, as that DNS is suspect.
nameserver: ns1.borxl.com 67.215.229.45
nameserver: ns2.borxl.com 24.52.12.10
DOMAIN: BORXL.COM
RSP: IMENA.ua
URL: »www.imena.ua
created-date: 2008-03-14
updated-date: 2008-03-14
registration-expiration-date: 2009-03-14
owner-contact: P-MBT398
owner-fname: Mike
owner-lname: Tyo
owner-street: 4034 Rahn Rd
owner-city: Eagan
owner-zip: 55122
owner-country: US
owner-phone: 6513969140
owner-email: miketyo@uk2.net
MGD | |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL | yeah, after my post I tried to reach it from a "test" computer and couldn't get to it.
odd.... | |
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| said by Dennis :yeah, after my post I tried to reach it from a "test" computer and couldn't get to it. It's reachable. Maybe not touchable, but reachable.
»www.fr4ck.cn/icons/ | |
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| Where would a logical traceroute of »r4oik.cn end at?
China
Brazil
France
Zululand
Romania
Memphis TN
Here's a hint: It's a phish site
»89.41.180.87/icons/ | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
March 23rd, @02:31AM
| said by SnowyOne :Where would a logical traceroute of » r4oik.cn end at? ... Appears to be roving bot type hosting. A 30 minute TTL on the phisher contolled DNS rotates a pool of hosts.
A list of 10 hosts cached on a non authorative DNS:
; > DiG 9.2.4 > @algw1.att.com -t A adwords.google.com.r4oik.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER->> opcode: QUERY, status: NOERROR, id: 22389
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;adwords.google.com.r4oik.cn. IN A
;; ANSWER SECTION:
adwords.google.com.r4oik.cn. 1800 IN A 84.108.239.70
[reverse DNS - bzq-84-108-239-70.cablep.bezeqint.net]
.
adwords.google.com.r4oik.cn. 1800 IN A 85.130.35.217
[reverse DNS - 85-130-35-217.1712826.ddns.cablebg.net]
.
adwords.google.com.r4oik.cn. 1800 IN A 86.122.171.209
[reverse DNS - 86-122-171-209.rdsnet.ro]
.
adwords.google.com.r4oik.cn. 1800 IN A 87.68.1.132
[reverse DNS - 87.68.1.132.cable.012.net.il]
.
adwords.google.com.r4oik.cn. 1800 IN A 87.68.28.118
[reverse DNS - 87.68.28.118.cable.012.net.il]
.
adwords.google.com.r4oik.cn. 1800 IN A 222.235.171.188
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 59.187.199.82
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 79.116.242.190
[reverse DNS - 79-116-242-190.rdsnet.ro]
.
adwords.google.com.r4oik.cn. 1800 IN A 80.97.170.165
[no reverse DNS set]
.
adwords.google.com.r4oik.cn. 1800 IN A 81.25.43.13
[reverse DNS - port-13-adslby-pool43.infonet.by]
.
A get request of the root IP on several, if not all, of the above will generate a redirect to:
>http://www.microsoft.com/
Also, the actual phish page contains a 1x1 iframe for:
>http://58.65.239.3/cgi-bin/mail.cgi?p=tor
which is the subject of:
FORM id=wzMainForm name=wzMainForm
action=submit.php
method=post
and relevant to:
After the submit to 58.65.239.3/cgi-bin/mail.cgi you are then redirected to >http://www.google.com:
IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. They may not be relevant if that IP is hijacked.
MGD | |
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| said by MGD :IP 58.65.239.3 appears to have FTP running and hosts two domains: Escortinukraine.com and Kumau.info. OK,OK, but just in the defense of Truth, Justice & The GoogleWay!  | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
March 23rd, @02:54AM
| LOL !!
....
..
For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why.
MGD | |
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| said by MGD :For reference, in case it disappears, here is the source code for the entire phish page. For some reason it causes an immediate GPF on my web brwowser. I am not sure why. Uhm, excuse me, but that's why you're supposed to put crap like this on other peoples servers. | |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL | oh man here we go again
| |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
 ·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
edit:
April 7th, @09:49AM
| two more this morning...
It just occurred to me now that this is way too focused of an attack to be random or luck. Plus I'm getting them to two very specific email addresses...so after a little digging I've found only one place that they could have been pulled from.
Google Analytics
»https://www.google.com/analytics
It's the only place that both email addresses were in (I get daily reports on different sub domains, one to each) so I have to assume at this point that somebody gained access to the list of emails and assumed that a majority of people using Google Analytics were also using Google Adwords (not to be confused with Adsense).
Now the only question is...does google know???
--
My Blog. Because I desperately need the acknowledgement of others.
Meet my son, Connor. | |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL | and again:
No response from google about this at all yet... | |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
|
You know the frequency of these is what scares me the most...
--
My Blog. Because I desperately need the acknowledgement of others.
Meet my son, Connor. | |
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
edit:
April 8th, @08:23AM
| lord...why did I even try. All they did was send me a explanation of what "spoofing" is.
Good to see that Google has joined the ranks of the large company that hires people dumb enough to not understand the emails they get.
On second thought...it was probably just a small perl script that responded to me.
--
My Blog. Because I desperately need the acknowledgement of others.
Meet my son, Connor. | |
VisualdreamZ
@cox.net
| Gotta point out one other thing about this that is a little scarier than your average phishing scheme. It follows the logical procession of what it claims to be. In order, and on a reasonable time frame.
I unfortunately did not keep most of these, but I received the first I think sometime in late February. Received a couple more in March and earlier April. And now I just received one yesterday (as I scrolled through my spam box) that claimed "Your adwords account has now been 'stoped'." (Thank god for illiterate phisphers!)
But the fact that it well mimics the general progress of a real account shut down indicates a somewhat higher level of intelligence here. And - that scares me. LOL
Just thought I'd share my observation, and thanks for allowing a body to post without creating yet another account =)
V--Z
PS - I tried telling google, too, and also got the standard scripted response. Thank god for form letter writers, too, keeping otherwise perfectly good telemarketers from calling me!  | |
|
