[DNS] A spot of phishing ..

[DNS] A spot of phishing ..

From: Ian Smith <smithi§nimnet.asn.au>
Date: Tue, 28 Oct 2008 00:34:20 +1100 (EST)
On Mon, 27 Oct 2008, Josh Rowe wrote:

 > Good Afternon All,
 > 
 > It should be noted that there are two quite separate issues here:
 >
 > Issue One: A company has registered "stgeorgewestpac.com.au" which 
 > may be in breach of policy.
 > 
 > Issue Two: A phisher has used the domain name 
 > "stgeorgewestpac.com.au" as a "From:" email address in a phish email.
 > 
 > I have not seen any evidence that connects:
 > 	A: the company who registered the domain name "stgeorgewestpac.com.au" with
 > 	B: the entity that sent the phish email below.
 > 
 > The nature of the email standards (SMTP) means that phishers can fake 
 > the "From:" email messsage field to be any domain name of their 
 > choosing.
 > 
 > Therefore, without evidence demonstrating a link between the two, the 
 > company which registered "stgeorgewestpac.com.au" and the phisher are 
 > NOT the same entity.

Quite so, Josh; I don't believe I've implied that they were.

Further, there's no evidence that the phishing pages at the given URLs 
were installed with any knowledge of the registrant of stockroutes.info, 
Birds Australia Southern Queensland; most likely they were cracked, and 
they're no longer there.  The whole hit-and-run needn't take long.

Nor, I'd best add, should we suspect that the host called designsbs-01 
at CPE-61-9-248-65.static.wa.bigpond.net.au [61.9.248.65] was anything 
other than yet another poor owned Windows box robotically spewing spam, 
that got to me before hitting the honeypots feeding the RBLs.

Sure, phishers know better than to forge nonexistant "From:" domains 
these days, too many mailservers reject them on connection, so they 
need to forge real, preferably convincing domains.  This one somehow 
managed to discover that the domain stgeorgewestpac.com.au existed.

As Jon points out, maybe the banks themselves registered this domain 
preemptively on the quiet.  Maybe the registrar has verification that 
it was all on the level, and maybe emunicate.net is where the bank/s 
choose to host or park such domain/s.

Lots of maybes and scant transparency is the best we can expect :)

cheers, Ian


 > Regards
 > 
 > 
 > Josh
 > --
 > http://josh.id.au/
 > 
 > On Sun, Oct 26, 2008 at 12:38:48AM +1100, Ian Smith wrote:
 > > I won't include the whole message as it's in HTML, text version below,
 > > but the headers and the actual phishing links are quite interesting.
 > > 
 > > I guess many people wouldn't think 'X-Mailer: Spammer 2007' a clue :)
 > > 
 > > Here are the phishing links, de-HTMLised for your viewing pleasure:
 > > 
 > > "http://stockroutes.info/crm/jscalendar/lang/online.westpac.com.au/esis/Login/SrvPage/"
 > > Westpac Clients Click Here
 > > 
 > > "http://stockroutes.info/crm/jscalendar/lang/www.stgeorge.com.au/InternetBanking/welcome.jsp/"
 > > St.George Clients Click Here
 > > 
 > > The logo links are to the actual St George and Westpac sites.
 > > 
 > > What I find fascinating is that someone could register a domain called
 > > 'stgeorgewestpac.com.au' without anybody raising an eyebrow, since May
 > > this year.
 > > 
 > > I'm sure you all know how to look up who registered it, and we can all
 > > ponder the 'close and substantial'ness of 'A.C.N. 123 970 418 PTY LTD'
 > > 
 > > Is our slather open enough yet?
 > > 
 > > cheers, Ian
 > > 
 > > ---------- Forwarded message ----------
 > > Return-Path: <custoersmessage&#167;stgeorgewestpac.com.au>
 > > Received: from designsbs-01 (CPE-61-9-248-65.static.wa.bigpond.net.au
 > >     [61.9.248.65])
 > >     by sola.nimnet.asn.au (8.14.2/8.14.2) with SMTP id m9PCSqsa009152
 > >     for <smithi&#167;nimnet.asn.au>; Sat, 25 Oct 2008 23:28:58 +1100 (EST)
 > >     (envelope-from custoersmessage&#167;stgeorgewestpac.com.au)
 > > Message-Id: <200810251228.m9PCSqsa009152&#167;sola.nimnet.asn.au>
 > > From: Stgeorge & Westpac Group <custoersmessage&#167;stgeorgewestpac.com.au>
 > > To: smithi&#167;nimnet.asn.au
 > > Subject: Notification To All St.George/Westpac Clients
 > > Date: Sat, 25 Oct 2008 20:28:58 +0800
 > > X-Mailer: Spammer 2007
 > 
 > [snip-snip]
 > ---------------------------------------------------------------------------
 > List policy, unsubscribing and archives => http://dotau.org/
 > 
Received on Mon Oct 27 2008 - 06:34:20 UTC

This archive was generated by hypermail 2.3.0 : Sat Nov 01 2014 - 00:00:19 UTC