[Dshield] Just received (phishing)

KrogNetix abuse at allover.ca
Fri Feb 3 18:03:38 GMT 2006


Joshua,

A little off topic maybe.....

I have seen this type of activity myself. Receiving spam to a non-used and
non-advertised and sometimes just recently created ISP based email
addresses. (i.e. @telus.net)

This "pump & dump" stock spam is the peskiest one to deal with. I also
believe that spammers may have the ability to get "spam trap" addresses for
the RBL lists (like SPAMCOP). Recently I have seen 4 separate incidents
where email service providers were somehow added to the SPAMCOP RBL  when no
spamming was occurring from those IP's. I know it could potentially be
client "out of office" reply's triggering the trap, but lets face it, this
is very strange that spammers can now find your addresses even if you do not
advertise it anywhere, and no evidence of dictionary attack is present.

What if the spammer could also discover the supposed secret "spam trap"
addresses also? They could easily get any mail system blacklisted in a
heartbeat.

In the 4 cases where the provider was mysteriously on the SPAMCOP RBL, the
companies are very anti-spam and have day to day battles with the
unsolicited mail. Kind of weird that both got added somehow to the RBL?

It would be very interesting to know if your "honeytoken" was compromised.
Please follow up when you have more details.

------------------
M. McBride
Security Admin
Allover/ KrogNetix
Vancouver CA
888-320-TECH




-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Knust, Joshua
Sent: Friday, February 03, 2006 7:38 AM
To: General DShield Discussion List
Subject: [ABUSE] Re: [Dshield] Just received (phishing)


Some additional understanding of small bank IT operations may help.

I have reason to believe a bank I use was compromised (or a downstream
vendor they use). For my personal email, I use a unique email address for
every online registration, order or form that requires email (since I own
the domain and mail server). A pseudo honeytoken approach, if you will, as I
want to know who sells my email (you'd be surprised). For example, I
registered something like josh.mybankname102004 at mydomainname.com.

Just a few weeks ago I started receiving financial related spam to that
specific address (mostly penny stock "advice"). I clearly established it did
not result from a dictionary attack or harvesting attempt on my domain
either, and that email was never used prior - just suddenly started
receiving financial spam only. I contacted my bank and explained, and they
are investigating. Since they are making good faith efforts, I will not
disclose their name.

I have also done bank penetration testing in the past.... so I know the
inner workings a bit. In layman's terms, I have found that most smaller
banks are more like a franchise front end and require a larger central
processing facility that is shared by many banks (that are not the same
bank). You can bet that many small banks ship off check image processing,
mainframe duties, reconciliation, etc. and that your email registered with
them online may be in one large  database serving multitudes of banks. This
is especially true of online banking (think ASP model).

I'd be interested in chatting offline to see if this is related. In
approaching this bank... do some research on honeytokens (protecting IP,
theft, internal fraud, etc.) and you should be able to convey your concerns.
Large banks use honeytokens... for example, a credit card number with
specific, but false, customer info is stored in a DB... and nowhere else. So
if one day it is used.... you may be able to determine that DB is
compromised even on an inside job where an admin leaves little evidence and
is directly accessing the DB. There are some wild uses of honeytokens if you
research it for awhile. 

All of this email is my personal opinion and in no way representative of, or
related to, my current employ.

HTH
Joshua

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of J Lake
Sent: Friday, February 03, 2006 6:54 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Just received (phishing)


On Thursday 02 February 2006 02:04 pm, Aaron Lewis wrote:
> Phishing attempt for Town North Bank in Texas. I received an email 
> linking me to a site asking for all the account information. I'm not a 
> customer there but the URL I was lead to is
>
> http://200.93.202.10/~almost/www.tnbonlinebanking.com/signon.html
>
> ADL

This reminds me to ask a question to the group: 

Someone in my organization was taken in by a phishing scam this week. When I
asked him about it further, I found out that the e-mail address that the
phish was sent to is not an address in general circulation. I think he 
fell for it because that address was used by the bank and only one or two
other people had it.

So my question to the group is, should I imply from this that the bank's
information was compromised in some way? It is a really small, local bank. I

can't think of any other reason for someone to associate that bank and his 
uncirculated e-mail address without figuring that the bank either losing
that 
information, or selling it. Can anyone help me understand this better?
Thanks J 



Here was the link by the way, it's dead now:
> Please confirm your email by clicking the link below :
>
> http://cash4erotik.de/.p/Onlinebanking/
>


_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list