Re: [Phish] email from CDC "personal vaccination profile"

Author	All Replies
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL kudos:7 Reviews: ·AT&T U-Verse	reply to Dennis Re: [Phish] email from CDC "personal vaccination profile" There are currently two of those "phish" on phishtracker. They come from the rock phishers. They try to run a Windows executable "vacc_profile.exe" and at present AV detection of this is weak. See also »phish #42363 - malware alert -- AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15
	to forum · permalink · 2009-12-01 13:53:09 ·
MGD Premium,MVM join:2002-07-31 kudos:9	I see Phish submit 42363:»/phishtrack?pi···3&urls=1 is for the same NYUGEWN.BE fraud domain, while Phish submit 42364:»/phishtrack?pi···4&urls=1 is for a fraud domain YHNBAM.CO.IM The fraudulently registered NYUGEWN.BE per ICANN regulations is eligible for immediate revocation: =================================== Domain Name NYUGEWN.BE Status REGISTERED Registered December 1, 2009 Last update December 1, 2009 1:57 PM Licensee Name: Tom McCarthy Organisation: Tom McCarthy Language English Address: 13895 Keiber Rd., 48838 Antwerp Belgium Phone +32.7812713 Email rickys36246@hotmail.com Agent technical contacts: Name Active 24 ASA - Registry Department Organisation Active 24 ASA Language English: Address Pilestredet 75C P.O. box 5198 Majorstua N-0302 Oslo Norway Phone +47.21933000 Fax +47.21933001 Email registry[@]registry.active24.com Agent Organisation Active 24 ASA Website www.active24.be/ Nameservers ns1.davies-estates.com ns1.pandachine.com =================================== File: registry[@]registry.active24.com & »www.dns.be/public/whois/FileComp···=nyugewn The fraudulent registration listing as being in Antwerp, Belgium., belongs to this individual / business: Outdoor Optic Shop Tom McCarthy 13895 Keiber Rd. Greenville, Mi 48838 616-754-5530 »www.armedforcesjournal.com/black···irectory Not sure if the owner's card data was used for payment. The DNS servers domains are the best targets, since these phish viri spams are bot mailed, and bot hosted. Also likely to be fast flux dns. MGD
	to forum · permalink · 2009-12-01 14:26:52 ·
MGD Premium,MVM join:2002-07-31 kudos:9 1 edit	reply to nwrickert said by nwrickert: There are currently two of those "phish" on phishtracker. They come from the rock phishers. They try to run a Windows executable "vacc_profile.exe" and at present AV detection of this is weak. See also »phish #42363 - malware alert Indeed, classic RBN rockphish traits. Four of the names servers in use for the above two domains: ns1.davies-estates.com ns1.pandachine.com ns1.a-personalhire.com ns1.shuzmen.com Since this is US targeted it is common for them to have at least one IP per dns domain hosted in the US. a-personalhire.com is also used in conjunction with ns1.poolandmonster.com in another Zbot campaign which involves another 13 Belgian Domains in addition to the known nyugewn.be. Classic Rockphish style: hssaze.be = VIRUS & FRAUD DOMAIN hssazg.be = VIRUS & FRAUD DOMAIN hssazh.be = VIRUS & FRAUD DOMAIN hssazi.be = VIRUS & FRAUD DOMAIN hssazj.be = VIRUS & FRAUD DOMAIN hssazl.be = VIRUS & FRAUD DOMAIN hssazo.be = VIRUS & FRAUD DOMAIN hssazp.be = VIRUS & FRAUD DOMAIN hssazq.be = VIRUS & FRAUD DOMAIN hssazr.be = VIRUS & FRAUD DOMAIN hssazt.be = VIRUS & FRAUD DOMAIN hssazw.be = VIRUS & FRAUD DOMAIN hssazy.be= VIRUS & FRAUD DOMAIN »www.malwareurl.com/ns_listing.ph···hire.com Obviously a major planned operation, someone's bot net and bank card / login database was close to "E". MGD
	to forum · permalink · 2009-12-01 16:54:18 ·

Broadband Tech > Security > Scam and Phishbusters > [Phish] email from CDC "personal vaccination profile"