Scam and Phishbusters → VISAPhishing Scam

can you post the actual email header info? then we can track the bugger down.

Sorry my fat fingers attacked me this morning. Need... coffee... not... going ... to ... make it...

Well, it came from the UK... here's the traceroute. You could also report the scam to his ISP, Energis UK (»www.energis-squared.net/)

Domain Name:
pol.co.uk

Registrant:
Planet Online Ltd

Registrant's Agent:
Energis Communications Ltd [Tag = ENERGIS-SQUARED]
URL: »www.energis.com

Relevant Dates:
Last updated: 27-May-2002

Name servers listed in order:
earth.theplanet.net 195.92.195.222
venus.theplanet.net 194.152.65.222
pluto.theplanet.net 195.92.67.32

WHOIS database last updated at 13:49:52 23-Dec-2003

I got it also, and saved it for forwarding here if nobody else did. Here's the full header information from my copy (with my address munged, of course, and POPFile's link removed for clarity):

Return-Path: <m58@delphi.com>
Received: from 211.213.189.153 ([211.213.189.153])
by ns.awebpresence.com (8.11.6/8.11.1) with SMTP id hBN9pCe14472
for <jim@myaddress>; Tue, 23 Dec 2003 04:51:13 -0500
Message-Id: <200312230951.hBN9pCe14472@ns.awebpresence.com>
Date: Tue, 23 Dec 2003 03:20:38 -0600
From: Visa International Service <security@visa-security.com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa International Service <security@visa-security.com>
Organization: Visa International Service
X-Priority: 3 (Normal)
To: jim@myaddress
Subject: [spam] Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Status:

Dear Customer,

when the scammers figure out how to employ people with english lit degrees, we are all doomed.

According to my copy of SamSpade:

12/23/03 11:24:07 IP block 64.21.80.2
Trying 64.21.80.2 at ARIN
Trying 64.21.80 at ARIN

OrgName: Net Access Corporation
OrgID: NAC
Address: 1719 STE RT 10E
Address: Suite 111
City: Parsippany
StateProv: NJ
PostalCode: 07054
Country: US

NetRange: 64.21.0.0 - 64.21.191.255
CIDR: 64.21.0.0/17, 64.21.128.0/18
NetName: NAC-NETBLK03
NetHandle: NET-64-21-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NAC.NET
NameServer: NS2.NAC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: * Reassignment information for this network is available
Comment: * available at whois.nac.net 43
RegDate: 1999-12-22
Updated: 2001-08-22

TechHandle: ZN77-ARIN
TechName: Net Access Corporation
TechPhone: +1-800-638-6336
TechEmail: legal@nac.net

OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: abuse@nac.net

OrgNOCHandle: NOC270-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-973-590-5050
OrgNOCEmail: network@nac.net

OrgTechHandle: ZN77-ARIN
OrgTechName: Net Access Corporation
OrgTechPhone: +1-800-638-6336
OrgTechEmail: legal@nac.net

OrgTechHandle: AR97-ARIN
OrgTechName: Rubenstein, Alex
OrgTechPhone: +1-973-590-5101
OrgTechEmail: alex@nac.net

# ARIN WHOIS database, last updated 2003-12-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Also, the SamSpade.org site itself notes that...

64.21.80.2 has valid reverse DNS of panther.dns-nac-zone.com

And also...

panther.dns-nac-zone.com resolves to 64.21.80.2

whois -h magic panther.dns-nac-zone.com

dns-nac-zone.com is registered with ENOM, INC. - redirecting to whois.enom.com
whois -h whois.enom.com dns-nac-zone.com

Registration Service Provided By: Need A Dot Com?
Contact: kbritt@needa.com
Visit: »www.needa.com

Domain name: dns-nac-zone.com

Registrant Contact:
dns-nac-zone.com
Robbie Walker (admin@dns-nac-zone.com)
N/A
Fax: N/A
P.O Box 3439
Toowoomba, QLD 4350
AU

Administrative Contact:
dns-nac-zone.com
Robbie Walker (admin@dns-nac-zone.com)
N/A
Fax: N/A
P.O Box 3439
Toowoomba, QLD 4350
AU

Technical Contact:
dns-nac-zone.com
Robbie Walker (admin@dns-nac-zone.com)
N/A
Fax: N/A
P.O Box 3439
Toowoomba, QLD 4350
AU

Billing Contact:
dns-nac-zone.com
Robbie Walker (admin@dns-nac-zone.com)
N/A
Fax: N/A
P.O Box 3439
Toowoomba, QLD 4350
AU

Status: registrar-lock

Name Servers:
ns.dns-nac-zone.com
ns0.dns-nac-zone.com
sec.dns-nac-zone.com

Creation date: 28 Dec 2002 23:56:54
Expiration date: 28 Dec 2004 23:56:54

And a traceroute shows a "fake rDNS":

3 137.164.23.225 7.571 ms netblock-lax-dc1--losnettos-dc.cenic.net [AS2150] Unknown
4 137.164.22.25 9.199 ms dc-slo-dc2--lax-dc1-pos.cenic.net [AS2150] Unknown
5 137.164.22.27 9.914 ms dc-sol-dc2--slo-dc1-pos.cenic.net [AS2150] Unknown
6 137.164.22.29 9.089 ms dc-svl-dc1--sol-dc1-pos.cenic.net [AS2150] Unknown
7 137.164.22.147 9.557 ms dc-paix-px1--svl-dc1-ge.cenic.net [AS2150] Unknown
8 198.32.176.165 10.904 ms pao1-br1-g2-1-101.gnaps.net (DNS error)
9 199.232.44.5 27.726 ms lax1-br1-p2-1.gnaps.net (DNS error) [AS1784] CentNet
10 64.200.139.93 20.781 ms lsanca3lcx1-gige10-0.wcg.net (DNS error) [AS7911] Wiltel Communications Group
11 64.200.143.74 78.963 ms anhmca1wcx3-pos9-0-oc48.wcg.net (DNS error) [AS7911] Wiltel Communications Group
12 64.200.240.30 78.389 ms hrndva1wcx2-oc48.wcg.net (DNS error) [AS7911] Wiltel Communications Group
13 64.200.240.45 122.815 ms nycmny2wcx2-oc48.wcg.net (DNS error) [AS7911] Wiltel Communications Group
14 64.200.87.230 78.212 ms nycmny2wcx3-pos10-0.wcg.net (DNS error) [AS7911] Wiltel Communications Group
15 64.200.87.110 77.991 ms nycmnyhlce1-oc48.wcg.net (DNS error) [AS7911] Wiltel Communications Group
16 64.200.86.150 77.427 ms nycmny2lce1-netaccess-atm.wcg.net (DNS error) [AS7911] Wiltel Communications Group
17 209.123.11.126 85.921 ms 0.so-0-2-0.gbr1.nwr.nac.net (DNS error) [AS8001] Net Access Corporation
18 209.123.11.58 78.506 ms 0.so-7-3-0.gbr2.oct.nac.net (DNS error) [AS8001] Net Access Corporation
19 64.21.102.22 79.114 ms 99.gi6-5.msfc1.oct.nac.net (Fake rDNS) [AS8001] Net Access Corporation
20 64.21.80.2 78.878 ms panther.dns-nac-zone.com [AS8001] Net Access Corporation

HTH.

Looks like the site is now down. Not sure who forced it down but the links no longer work from my email and our InfoSec department says the site no longer exists. I hope someone catches who set it up to begin with.

The fake cames also to Spain. Here my email header info:

---------------------------------------------------------
Return-Path:
Received: from smtp06.eresmas.com ([10.128.1.106]) by ma22.eresmas.com (Netscape Messaging Server 4.15) with ESMTP id HQCDT100.CXU for ; Tue, 23 Dec 2003 10:46:13 +0100
Received: from root by smtp06.eresmas.com with scanned-ok (Exim 4.20) id 1AYj78-0000ll-7x for mabaeyens@eresmas.com; Tue, 23 Dec 2003 10:46:06 +0100
Received: from [211.61.158.34] (helo=211.61.158.34) by smtp06.eresmas.com with smtp (Exim 4.20) id 1AYj6t-0000YK-BZ for mabaeyens@eresmas.com; Tue, 23 Dec 2003 10:45:51 +0100
Date: Tue, 23 Dec 2003 03:45:46 -0600
From: Visa International Service
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa International Service
Organization: Visa International Service
X-Priority: 3 (Normal)
To: mabaeyens@eresmas.com
Subject: Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id:
X-Spam-Score: 6.3
X-Virus-Scanned: by amavisd 0.1
--------------------------------------------------------

Spanish authorities will be soon avoided about this kind of mails. For help in case you could use for your safety, here is my trace to the HELO IP address:

Node Data
Node Net Reg IP Address Location Node Name
1 - - 62.82.238.177 Zaragoza baeyens1
2 1 - 62.81.37.104 Zaragoza
3 1 - 62.81.37.92 Zaragoza zara-c2.red.auna.es
4 2 - 62.100.115.65 MADRID
5 3 - 10.127.3.10 Unknown
6 4 1 80.231.128.13 Barcelona if-3-0.core1.barcelona2.teleglobe.net
7 4 1 80.231.128.2 Barcelona if-5-0.core2.barcelona2.teleglobe.net
8 5 1 195.219.96.69 Southwark if-4-0.core1.london.teleglobe.net
9 6 1 207.45.220.37 New York if-1-0.core2.newyork.teleglobe.net
10 6 1 207.45.220.37 New York if-1-0.core2.newyork.teleglobe.net
11 6 1 207.45.223.177 New York if-3-0.core1.newyork.teleglobe.net
12 7 2 12.123.1.122 New York tbr1-p011601.n54ny.ip.att.net
13 7 2 12.123.1.122 New York tbr1-p011601.n54ny.ip.att.net
14 8 2 12.122.10.2 Chicago tbr1-cl1.cgcil.ip.att.net
15 9 2 12.122.10.46 St. Louis tbr2-cl7.sl9mo.ip.att.net
16 10 2 12.122.10.14 Los Angeles tbr2-cl2.la2ca.ip.att.net
17 10 2 12.122.10.14 Los Angeles tbr2-cl2.la2ca.ip.att.net
18 11 2 12.123.199.229 Los Angeles gar1-p3100.lsnca.ip.att.net
19 12 - 12.119.138.38 Los Angeles
20 13 - 210.180.97.25 SEOUL
21 13 - 210.180.97.115 SEOUL
22 14 - 218.38.150.194 Unknown
23 15 - 211.61.158.34 SEOUL

Sorry for the inconvenience, and best wishes for thes new Year.

Regards from Spain.

-Miguel Angel Baeyens