Sunday, February 19, 2006

And again...

Spam received claiming to be the Bank of America, trying to collect passwords. Now, here's how you do it: select "view source" in MS Exchange or Outlook, view original in Gmail. This will show the HTML code of the email. Look for the link you're meant to click to provide your password: it will look like this... a href="our real URL" yes, we really are the bank, click here, sucker /a, with angle brackets (<) and (>) around everything.

Now you know where the passwords are being collected. Do a WHOIS search for that url, and you know who.

For example..

That Bank of American fraudmail contains a link to a Polish hostco called host44.pl. Their details are as follows:
Looking up host44.pl at whois.dns.pl.


% This is the NASK WHOIS Server.
% This server provides information only for PL domains.
% For more info please see http://www.dns.pl/english/whois.html

Domain object:
domain: host44.pl
registrant's handle: nta4827 (CORPORATE)
nservers: dns2.host44.pl.[67.19.65.165]
dns.host44.pl.[67.19.65.164]
created: 2003.12.29
last modified: 2005.12.23
registrar: NetArt
Zabawa 118
32-020 Wieliczka
Polska/Poland
+48.801 800 700
+48.12 4244010
*****@nazwa.pl

option: the domain name has not option

Subscribers Contact object:
company: CM cashMedia Tomasz Adamek
street: ul. Kopernika
city: 47-200 Kedzierzyn-Kozle
location: pl
handle: nta4827
phone: +48.601080089
last modified: 2004.10.30
registrar: NetArt
Zabawa 118
32-020 Wieliczka
Polska/Poland
+48.801 800 700
+48.12 4244010
*****@nazwa.pl


The email server has been rigged to produce silly error messages (550 Recipients are not verified? Yeah, right.)

Don't all ring at once, eh. It really shouldn't be that difficult.

No comments:

kostenloser Counter