heads up on a recent PHISHing attack I guess others may have users complaining about the PHISH just arriving representing itself as the National Bank while the site collecting is http://www.ffmd.org/bilder/www.nbnz.co.nz/login.html We've found a live chat with the web provider for ffmd.org and mailed abuse@@b-one.net who own the IP space. Any other strategies to close an internationally hosted one like this? -Robert
I think the best bit is this, from the HTML (like this on the real site, as well as the dodgy one): <!-- uncomment and edit the following line to enable link to phishing info page --> <!--a href="http://www.nbnz.co.nz/personal/waystobank/protectphishing.htm">Online Security Update: 9 June 2006</a--> Robert Hunt wrote:
heads up on a recent PHISHing attack
I guess others may have users complaining about the PHISH just arriving representing itself as the National Bank while the site collecting is http://www.ffmd.org/bilder/www.nbnz.co.nz/login.html
We've found a live chat with the web provider for ffmd.org and mailed abuse@@b-one.net who own the IP space.
Any other strategies to close an internationally hosted one like this?
-Robert
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
!DSPAM:22,4535b1c450541759412610!
Any other strategies to close an internationally hosted one like this?
Gain contacts in other regions, or hire people who have those contacts.
Thanks for the encouragement, Joe and also Juha. This has been a positive experience actually. I am always keen to develop such helpful contacts as you suggest. In this case as you noticed, the hosting was in Scandanavia. Curiously a phone call to the National Bank was greeted with "nothing much can be done, and we always tell our customers that they shouldn't put their details into a form from an email, we probably already know about this one, thanks goodbye". I ventured to disagree that "nothing much can be done". The most recent example on their web page was not the most recent, adding to the humour that Nathan sees in this. Fortunately "something rotten in the state of Denmark" proved to be not so elusive to get removed as just after I got off the phone from the uninterested bank we had a result. The abuse address for the IP block led to some quite quick chain of events with "site suspended" appearing at the URL we were concerned about. -Robert -- Robert Hunt phone +64-3-3645888 Managing Director fax +64-3-3645828 Plain Communications roberth(a)plain.co.nz
Hi, Robert.
Sorry for the lagged response; I'm forever on the road. :) We spend
quite a lot of time tracking such nasties, and coordinating among
folks to have them eradicated. If we can ever be of assistance,
please don't hesitate to ping on us. It's best to ping on
On 18/10/06, Robert Hunt
Any other strategies to close an internationally hosted one like this?
Probably an email or call to the relevant CERT would be good, if you have the time and energy. I just googled 'danish cert' and got to this page: https://www.cert.dk/kontakt/engver.shtml Or there's AusCERTs incident report form - you do not need to be an AusCERT member : http://www.auscert.org.au/render.html?it=3191 Gadi's mailing list on phishing: http://www.whitestar.linuxbox.org/mailman/listinfo/phishing "Otherwise, to report a malicious website/phishing PRIVATELY and reach all relevant groups, please send email to: c2report(a)isotf.org " Other reporting sites: http://www.antiphishing.org/report_phishing.html http://www.us-cert.gov/nav/report_phishing.html cheers, Jamie -- Jamie Riden, CISSP / jamesr(a)europe.com / jamie.riden(a)gmail.com NZ Honeynet project - http://www.nz-honeynet.org/
Another site and a toolbar is Netcraft. Scam(a)netcraft.com Forward as an attachment and they investigate and add it to their list, or tell you if they already have it. The toolbar for Firefox and IE is here: http://toolbar.netcraft.com/help/faq/index.html
participants (6)
-
David Taylor -
Jamie Riden -
Joe Abley -
Nathan Ward -
Rob Thomas -
roberth@plain.co.nz