Dailydave mailing list archives
Re: Distributed Phishing
From: Joe Stewart <jstewart () lurhq com>
Date: Mon, 2 May 2005 13:47:55 -0400
On Monday 02 May 2005 01:29 pm, byte_jump wrote:
I thought you folks would be interested in this new phishing tactic, which is really quite clever. I know of a company that is experiencing a phishing scam that is organized in a way that I have never seen before. The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc. The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes. The IP's hosting the phishing site also are home machines on the Comcast, Charter, etc. networks.
This network has been in operation for almost a couple of years now. It was first observed in June 2003 by spamfighters in NANAE. The phishing site itself is located on a single host; the cablemodem IPs are used as reverse proxies to that host. Back in 2003 it was serving up different illicit porn sites, but we believed that was just a front in order to phish for credit card information from would-be registrants. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Distributed Phishing byte_jump (May 02)
- Re: Distributed Phishing Joe Stewart (May 02)
- Re: Distributed Phishing Gadi Evron (May 02)
- Re: Distributed Phishing byte_jump (May 02)
- <Possible follow-ups>
- Re: Distributed Phishing Thor Larholm (May 02)