Blog: Phishing

Recently, an unscrupulous individual was trying to setup a fake copy of one of our customers for what was likely a phishing scheme on a server located in Netherlands.  Upon examining the whois record, there was a contact listed as the admin with an address and phone number.  Upon calling the number the individual that answered the phone of course knew nothing about the person that registered the website.  Other entries appeared to indicate that Yahoo was involved in the hosting.  However, in order to actually connect to the website, the DNS records are registered with name servers that are usually from the webhost provider. Below is a screen shot of the Whois results (with some of the information removed). [more]

After querying the name server’s DNS for citibo.com, it was clear that these servers were pointing back to a server named hosting1-nl.santrex.net.  Santrex.net showed to have hosting servers located in Netherlands.  A trouble ticket was created for abuse on the santrex.net website, and a few hours later, the webhost provider suspended the account.  While we were still waiting for the FBI to get back with us, it was really helpful to contact the webhost provider, and get the website taken down.


 

Many people received a phishing e-mail with the Subject "FDIC has officially named your bank a failed bank" yesterday appearing to come from the FDIC.  The text from the fraudulent e-mail would appear something like:

You have received this message because you are a holder of a FDIC-insured bank account.
Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
  • Visit FDIC website: (a fraudulent link was provided here)
  • Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

It appears this is a new phishing attack where the intent is to attempt to collect personal or confidential inforamtion.  Recipients of this e-mail should be warned of its nature and encouranged NOT to follow any of the links from the e-mail.

Here is the link to the FDIC Consumer Alert published October 26, 2009 - http://www.fdic.gov/consumers/consumer/alerts/


 

Thousands of Windows Live accounts have been compromised with their passwords posted online.  This information was posted on the Windows Live blog at http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry.  This is unfortunate, but is another example of why one should not use the same password in more than one place.

The blog post states that these were compromised by phishing attempts.  Microsoft has taken measures to block access to all of the accounts that were exposed. However, if you have an account, I would suggest you change the password and secret answer right away just to be safe.


 
 

As of yesterday (May 28, 2007) it appears more than 1,400 executives (from various companies) had been infected by an e-mail attack that dresses itself up as a complaint filed with the Better Business Bureau.

The phishing attack uses details apparently culled from public sources to tailor the e-mail message with a company's name, the name of a senior executive and the executive's e-mail address in an attempt to convince the person to open a malicious attachment.

As with all such attacks, it is wise to never open unsolicited attachments. Up-to-date antivirus software and Intrusion Detection/Prevention systems also provide layers of protection from such attacks. [more]

For more information about this attack, please refer to the following article:
http://www.securityfocus.com/brief/511

For help protecting your business against these types of attacks, please contact us.