[DNS] A spot of phishing ..

[DNS] A spot of phishing ..

From: Josh Rowe <josh§email.nu>
Date: Mon, 27 Oct 2008 18:41:38 +1100
Good Afternon All,

It should be noted that there are two quite separate issues here:

Issue One: A company has registered "stgeorgewestpac.com.au" which may be in breach of policy.

Issue Two: A phisher has used the domain name "stgeorgewestpac.com.au" as a "From:" email address in a phish email.

I have not seen any evidence that connects:
	A: the company who registered the domain name "stgeorgewestpac.com.au" with
	B: the entity that sent the phish email below.

The nature of the email standards (SMTP) means that phishers can fake the "From:" email messsage field to be any domain name of their choosing.

Therefore, without evidence demonstrating a link between the two, the company which registered "stgeorgewestpac.com.au" and the phisher are NOT the same entity.

Regards


Josh
--
http://josh.id.au/

On Sun, Oct 26, 2008 at 12:38:48AM +1100, Ian Smith wrote:
> I won't include the whole message as it's in HTML, text version below,
> but the headers and the actual phishing links are quite interesting.
> 
> I guess many people wouldn't think 'X-Mailer: Spammer 2007' a clue :)
> 
> Here are the phishing links, de-HTMLised for your viewing pleasure:
> 
> "http://stockroutes.info/crm/jscalendar/lang/online.westpac.com.au/esis/Login/SrvPage/"
> Westpac Clients Click Here
> 
> "http://stockroutes.info/crm/jscalendar/lang/www.stgeorge.com.au/InternetBanking/welcome.jsp/"
> St.George Clients Click Here
> 
> The logo links are to the actual St George and Westpac sites.
> 
> What I find fascinating is that someone could register a domain called
> 'stgeorgewestpac.com.au' without anybody raising an eyebrow, since May
> this year.
> 
> I'm sure you all know how to look up who registered it, and we can all
> ponder the 'close and substantial'ness of 'A.C.N. 123 970 418 PTY LTD'
> 
> Is our slather open enough yet?
> 
> cheers, Ian
> 
> ---------- Forwarded message ----------
> Return-Path: <custoersmessage&#167;stgeorgewestpac.com.au>
> Received: from designsbs-01 (CPE-61-9-248-65.static.wa.bigpond.net.au
>     [61.9.248.65])
>     by sola.nimnet.asn.au (8.14.2/8.14.2) with SMTP id m9PCSqsa009152
>     for <smithi&#167;nimnet.asn.au>; Sat, 25 Oct 2008 23:28:58 +1100 (EST)
>     (envelope-from custoersmessage&#167;stgeorgewestpac.com.au)
> Message-Id: <200810251228.m9PCSqsa009152&#167;sola.nimnet.asn.au>
> From: Stgeorge & Westpac Group <custoersmessage&#167;stgeorgewestpac.com.au>
> To: smithi&#167;nimnet.asn.au
> Subject: Notification To All St.George/Westpac Clients
> Date: Sat, 25 Oct 2008 20:28:58 +0800
> X-Mailer: Spammer 2007

[snip-snip]
Received on Mon Oct 27 2008 - 00:41:38 UTC

This archive was generated by hypermail 2.3.0 : Thu Oct 02 2014 - 04:00:24 UTC