MGDPremium,MVM
join:2002-07-31
kudos:9
1 edit | reply to nwrickert
Re: [Phish] email from CDC "personal vaccination profile" said by nwrickert:There are currently two of those "phish" on phishtracker. They come from the rock phishers. They try to run a Windows executable "vacc_profile.exe" and at present AV detection of this is weak. See also » phish #42363 - malware alert Indeed, classic RBN rockphish traits. Four of the names servers in use for the above two domains:
ns1.davies-estates.com
ns1.pandachine.com
ns1.a-personalhire.com
ns1.shuzmen.com
Since this is US targeted it is common for them to have at least one IP per dns domain hosted in the US.
a-personalhire.com is also used in conjunction with ns1.poolandmonster.com in another Zbot campaign which involves another 13 Belgian Domains in addition to the known nyugewn.be. Classic Rockphish style:
hssaze.be = VIRUS & FRAUD DOMAIN
hssazg.be = VIRUS & FRAUD DOMAIN
hssazh.be = VIRUS & FRAUD DOMAIN
hssazi.be = VIRUS & FRAUD DOMAIN
hssazj.be = VIRUS & FRAUD DOMAIN
hssazl.be = VIRUS & FRAUD DOMAIN
hssazo.be = VIRUS & FRAUD DOMAIN
hssazp.be = VIRUS & FRAUD DOMAIN
hssazq.be = VIRUS & FRAUD DOMAIN
hssazr.be = VIRUS & FRAUD DOMAIN
hssazt.be = VIRUS & FRAUD DOMAIN
hssazw.be = VIRUS & FRAUD DOMAIN
hssazy.be= VIRUS & FRAUD DOMAIN
»www.malwareurl.com/ns_listing.ph···hire.com
Obviously a major planned operation, someone's bot net and bank card / login database was close to "E".
MGD |
