Posts

Fact or faked: “Geachte klant abn amro bank” – ABN AMRO phising scam

Met enige regelmaat horen we in het nieuws dat iemands bankrekening is geplunderd door internetcriminelen. En daarom besteden we nogmaals aandacht aan het onderwerp: phising. Zojuist dook in mijn inbox een e-mail op, met het onderwerp Geachte klant abn amro bank en zogenaamd afkomstig van ABN.AMRO <abnamrobank_Beveiliging [at] intl.nl>. De eerste alinea was als volgt:

Read more

Network Solutions phishing scam

Sinds vandaag (voor zover ik weet) gaat er een phishing scam rond, bedoeld om Network Solutions klanten inlognamen en wachtwoorden af te troggelen. Deze scam is vergelijkbaar met de recente Enom phishing scam (link 2).

De e-mails gaan de wereld in met in ieder geval de volgende twee onderwerpen:

  • Please, renew your domains
  • Your domains will be expired soon!

en de body van de e-mail vertelt een verhaal over een expired domein wat verkocht is, waarvoor de ontvanger percentage van de verkoopprijs kan ontvangen.

Dear Network Solutions Customer,

We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.

Renew your domain now – http://www.networksolutions.com

You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking “submit” from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.

Sincerely,

Network Solutions® Customer Support

Waarbij de link “http://www.networksolutions.com” doorgaat naar http://www (dot) networksolutions.com (dot) sys49.mobi/.

Network Solutions phishing website

Network Solutions phishing website

Via Round Robin DNS wordt de website op vele, gekraakte, computers met xDSL of kabel verbindingen gehost, voornamelijk bij ComCast:

$ host www.networksolutions.com.sys49.mobi
www.networksolutions.com.sys49.mobi has address 98.216.102.126
www.networksolutions.com.sys49.mobi has address 82.26.73.221
www.networksolutions.com.sys49.mobi has address 68.36.238.160
www.networksolutions.com.sys49.mobi has address 74.132.157.170
www.networksolutions.com.sys49.mobi has address 69.139.65.106
www.networksolutions.com.sys49.mobi has address 76.17.145.49
www.networksolutions.com.sys49.mobi has address 24.33.253.8
www.networksolutions.com.sys49.mobi has address 76.119.35.217
www.networksolutions.com.sys49.mobi has address 98.229.69.62
www.networksolutions.com.sys49.mobi has address 69.234.50.97

$ host 98.216.102.126
126.102.216.98.in-addr.arpa domain name pointer c-98-216-102-126.hsd1.ma.comcast.net.
$ host 82.26.73.221
221.73.26.82.in-addr.arpa domain name pointer client-82-26-73-221.bmly.adsl.virgin.net.
$ host 68.36.238.160
160.238.36.68.in-addr.arpa domain name pointer c-68-36-238-160.hsd1.nj.comcast.net.
$ host 74.132.157.170
170.157.132.74.in-addr.arpa domain name pointer 74-132-157-170.dhcp.insightbb.com.
$ host 76.17.145.49
49.145.17.76.in-addr.arpa domain name pointer c-76-17-145-49.hsd1.mn.comcast.net.
$ host 69.139.65.106
106.65.139.69.in-addr.arpa domain name pointer c-69-139-65-106.hsd1.pa.comcast.net.
$ host 24.33.253.8
8.253.33.24.in-addr.arpa domain name pointer cpe-24-33-253-8.indy.res.rr.com.
$ host 76.119.35.217
217.35.119.76.in-addr.arpa domain name pointer c-76-119-35-217.hsd1.ma.comcast.net.
$ host 98.229.69.62
62.69.229.98.in-addr.arpa domain name pointer c-98-229-69-62.hsd1.ma.comcast.net.
$ host 69.234.50.97
97.50.234.69.in-addr.arpa domain name pointer adsl-69-234-50-97.dsl.irvnca.pacbell.net.

Alle betrokken zijn, voor zover mogelijk, via een abuse-bericht hiervan op de hoogte gesteld, alsmede het Internet Storm Center.

Hopelijk volgen er in de komende dagen wat updates…