Re: Distributed Phishing

[Joe Stewart <jstewart () lurhq com>]

On Monday 02 May 2005 01:29 pm, byte_jump wrote:
> I thought you folks would be interested in this new phishing tactic,
> which is really quite clever.
>
> I know of a company that is experiencing a phishing scam that is
> organized in a way that I have never seen before. The hostname that
> is hosting the phishing site is served up by five different name
> servers. Those five name servers are on home computers residing on
> networks such as Comcast, Charter, etc.
>
> The name servers are using some sort of round-robin DNS to serve up
> five different IP addresses for the phishing site, and the five IP
> addresses used are changing every ten to fifteen minutes. The IP's
> hosting the phishing site also are home machines on the Comcast,
> Charter, etc. networks.

This network has been in operation for almost a couple of years now. It 
was first observed in June 2003 by spamfighters in NANAE. The phishing 
site itself is located on a single host; the cablemodem IPs are used as 
reverse proxies to that host. Back in 2003 it was serving up different 
illicit porn sites, but we believed that was just a front in order to 
phish for credit card information from would-be registrants.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave