[Dshield] FYI

Coxe, John B. JOHN.B.COXE at saic.com
Fri Jan 23 23:40:52 GMT 2004

They are using the obfuscation du jour in the emails.


I am looking to see if this is the only host (that would be dumb) they are
using.  It is in Pakistan.  Has anyone audited this campaign to see the
complexion of the web servers used to service this campaign?

Below is the registration and the data from a representative message
received (of many).

OrgName:    Asia Pacific Network Information Centre 
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange: - 
NetHandle:  NET-202-0-0-0-1
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
RegDate:    1994-04-05
Updated:    2004-01-21

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact 
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin at apnic.net

# ARIN WHOIS database, last updated 2004-01-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
whois -h whois.apnic.net
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum: -
netname:      CUBEXS
descr:        CubeXS Private Lmited
descr:        Internet Service Provider
descr:        Data Entry
descr:        Software House
descr:        310-311 Kassam Court
descr:        B.C. 9, Block 5, Clifton
descr:        Karachi, Pakistan
country:      PK
admin-c:      AR22-AP
tech-c:       AR22-AP
remarks:      aly at cubexs.net.pk
mnt-by:       MAINT-PK-CUBEXS
changed:      hostamster at apnic.net 20000306
source:       APNIC

person:       Aly Ramzan
address:      CubeXS Private Limited
address:      310-311, Kassam Court, B.C.9,
address:      Block 5, Clifton,
address:      Karachi, Pakistan
country:      PK
phone:        +9221-5877946
fax-no:       +9221-5877950
e-mail:       aly at cubexs.net.pk
nic-hdl:      AR22-AP
mnt-by:       MAINT-NEW
changed:      aly at cubexs.net.pk 20000105
source:       APNIC

This is the full HTML content of a representative message:

To whom it may concern;
<p>In cooperation with the Department Of Homeland Security, Federal, State
and Local Governments your account has been denied insurance from the
  Deposit Insurance Corporation due to suspected violations of the Patriot
Act. While we have only a limited amount of evidence gathered on your
account at<br>
  this time it is enough to suspect that currency violations may have
occurred in your account and due to this activity we have withdrawn Federal
  Insurance on your account until we verify that your account has not been
used in a violation of the Patriot Act.</p>
<p>As a result Department Of Homeland Security Director Tom Ridge has
advised the Federal Deposit Insurance Corporation to suspend all deposit
insurance on<br>
  your account until such time as we can verify your identity and your
account information.</p>
<p>Please verify through our IDVerify below. This information will be
checked against a federal government database for identity verification.
This only takes<br>
  up to a minute and when we have verified your identity you will be
notified of said verification and all suspensions of insurance on your
account will be<br>
<p>Failure to use IDVerify below will cause all insurance for your account
to be terminated and all records of your account history will be sent to
  Federal Bureau of Investigation in Washington D.C. for analysis and
verification. Failure to provide proper identity may also result in a visit
from Local,<br>
  State or Federal Government or Homeland Security Officials.</p>
<p>Thank you for your time and consideration in this matter.</p>
<p>Donald E. Powell</p>
<p>Chairman Emeritus FDIC </p>
<p>John D. Hawke, Jr. </p>
<p>Comptroller of the Currency </p>
<p>Michael E. Bartell </p>
<p>Chief Information Officer</p>

Sanitized header data:  (source data retained)

Return-Path: <Rosalyn_Trey at aol.com>
Received: from home.nl ([] []) by REMOVED for
<REMOVED>; Fri, 23 Jan 2004 09:13:42 -0800
Received: from cp496607-a.roose1.nb.home.nl (cp496607-a.roose1.nb.home.nl
        by home.nl (8.12.8p1/8.12.8) with ESMTP id enxkf004574
        for <REMOVED>; Fri, 23 Jan 2004 17:22:22 -0400 (EST)
Message-Id: <sgurl24583 at aol.com>
From: "FDIC" <Rosalyn_Trey at aol.com>
Subject: Important News About Your Bank Account
MIME-Version: 1.0
Content-Type: multipart/related;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Rick Sroka
Sent: Friday, January 23, 2004 2:17 PM
To: list at dshield.org
Subject: [Dshield] FYI 

           There have been reports that fraudulent emails have been
circulating which inform customers that their account has been denied
the right to insurance from the Federal Deposit Insurance Corporation
(FDIC).  The FDIC is aware of this and has posted a response to this
problem on there website at:


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list