Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

SunTrust Bank phish on Kornet ip

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Sun Jul 15, 2007 5:16 am    Post subject: SunTrust Bank phish on Kornet ip Reply with quote
The following phish hit my spamtrap:

Mail headers:
Quote:
Return-Path: <csteam.ref66164420.nf@suntrust.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 14 Jul 2007 22:32:04 -0000
Received: from 87-196-74-2.net.novis.pt (HELO 87-196-74-2.net.novis.pt) [87.196.74.2]
by mx0.gmx.net (mx078) with SMTP; 15 Jul 2007 00:32:04 +0200
Received: from hot.ee (HELO hot.ee.corbis.com [102.161.96.160])
by ledzeppelin.com with SMTP id FXZYHJ2XQR
for <spamtrap>; Sat, 14 Jul 2007 15:32:06 -0800
From: "SunTrust Bank" <csteam.ref66164420.nf@suntrust.com>
To: <spamtrap>
Date: Sun, 15 Jul 2007 05:32:06 +0600
Subject: SunTrust Bank: Urgent Security Notification! (mess_id: PL4445238024628)
User-Agent: Calypso Version 3.20.01.01 (4)
X-Mailer: Calypso Version 3.20.01.01 (4)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--WW1OC938Z6S0J7GRGYK"


The sender 87-196-74-2.net.novis.pt is the usual trojanned Windows machine, of course the nature of the mail wouldn't allow for using a legit mail server. The received lines below the one marked in bold are falsified by the scumbag's spamware and should be discarded.

Mail body:
Quote:
Dear SunTrust Bank customer,

SunTrust Client Service Team requests you to complete Online Treasury Customer Form.

This procedure is obligatory for all business and corporate clients of SunTrust Bank.

Please click hyperlink below to access Online Treasury Customer Form.

http://onlinetreasurymanager-id6159197.suntrust.com/ibswebsuntrust/cmserver/customer.cfm[1]

Thank you for choosing SunTrust Bank for your business needs.

Please do not respond to this email.

This mail generated by an automated service.

The trained eye immediately spots the b0rked English, that would be rather untypical for a legit bank with English speaking customers.

[1] denotes the fake link that actually leads to:
http ://onlinetreasurymanager-id6159197.suntrust.com.standyon.com/ibswebsuntrust/cmserver/customer.cfm

I marked the actual domain as bold, the part left of it is irrelevant as the subdomain points to the same address:

standyon.com -> 211.195.203.180
onlinetreasurymanager-id6159197.suntrust.com.standyon.com -> 211.195.203.180

The ip address belongs to:
Quote:
IPv4 Address : 211.195.203.128-211.195.203.255
Network Name : KORNET-INFRA000001
Connect ISP Name : KORNET
Registration Date : 20060405
Publishes : N

[ Organization Information ]
Organization ID : ORG1600
Org Name : Korea Telecom
Address : Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711

[ Technical Contact Information ]
Org Name : Korea Telecom
Address : Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
E-Mail : ip at krnic.kornet.net


This machine has already been used as phishing host before:
http://groups.google.com/group/news.admin.net-abuse.sightings/search?group=news.admin.net-abuse.sightings&q=211.195.203.180

And harbours an impressing set of alternative host names (probably phishing domains, too):
dono4f.hk
exceluse.us
inworldjob.biz
jolcod.biz
klan-test-ns.net
martcode.hk
nuusers.com
rshins.com
standyon.com
s1.rshins.com
s3.rshins.com
theulrich.info
vivad.biz
voloky.cc
ns1.inworldjob.biz
ns2.inworldjob.biz

More information can be found in Spamhaus' SBL entry for this ip address:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56627

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Sun Jul 15, 2007 10:56 am    Post subject: Reply with quote
Meanwhile the SunTrust bank phish has landed in NANAS too:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/b09ed507adf08116/

The phish domain is this time:
onlinetreasurymanager-id810067335.suntrust.com.standlie.info

And now the grand prize question: What ip address does this host resolve to?
Quote:
[olliver@bunkiten ~]$ host onlinetreasurymanager-id810067335.suntrust.com.standlie.info
onlinetreasurymanager-id810067335.suntrust.com.standlie.info has address 211.195.203.180


Yeah, it's still the same Korean machine running on autopilot from my previous post. I'm curious how many weeks this machine will be left in its current state...

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group