Bankdirect phish
Just got a phish for BankDirect. The telling part: "<a
href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l'
where the I should be. Hopefully as this is inside .nz DNS we can get
this one shut down quickly.
The domain is registered with DiscountDomains.co.nz to a RODNEY
GUISTWITE.
admin_contact_name: RODNEY GUISTWITE
admin_contact_address1: 9740 CONIFER LANE
admin_contact_city: MURRELLS INLET
admin_contact_country: US (UNITED STATES)
admin_contact_phone: +84 3 6501641
admin_contact_email: directmain(a)yahoo.com
The email headers:
Received: from firewall.itpartners.co.nz ([10.7.0.254]) by
penfold.itpartners.co.nz with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 30 Sep 2005 08:46:23 +1200
Received: from [218.233.125.18] (helo=-1208382648)
by firewall.itpartners.co.nz with smtp (Exim 4.34)
id 1EL5Iv-0007GJ-5u
for craig(a)itpartners.co.nz; Fri, 30 Sep 2005 08:47:04 +1200
Received: from bankdirect.co.nz (-1208528168 [-1208791160])
by google.com (Qmailv1) with ESMTP id 554E5D0054
for
If a few of you were to run this in a loop it may screw things up for them #!/usr/bin/perl -w my $url = "http://www.bankdlrect.co.nz/Logon.html"; use WWW::Mechanize; use String::Random; $randstuff = new String::Random; my $fakeuser = $randstuff->randregex('\d\d\d\d\d\d\d\d'); # Prints random digits my $fakepass = $randstuff->randpattern("........"); # Prints random printable characters my $mech = WWW::Mechanize->new(); $mech->get( $url ); #$mech->follow_link( n => 3 ); #$mech->follow_link( text_regex => qr/download this/i ); #$mech->follow_link( url => 'http://host.com/index.html' ); $mech->submit_form( form_number => 1, fields => { username => '$fakeuser', password => 'fakepass', } ); print "Logging into $url with $fakeuser and $fakepass\n"; Liz On Fri, 30 Sep 2005 08:55, James Clark wrote:
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell.
Cheers, James.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- It's a poor sort of memory that only works backwards.
nice. There are a few no-hat attacker sites out there who delight in causing chaos to ordinary people.. (growl, rant deleted) pity there are no "attack the attackers" sites.. are we scared of them or something ? S On Fri, 2005-09-30 at 09:49 +1200, Liz Q wrote:
If a few of you were to run this in a loop it may screw things up for them
#!/usr/bin/perl -w
my $url = "http://www.bankdlrect.co.nz/Logon.html";
use WWW::Mechanize; use String::Random;
$randstuff = new String::Random; my $fakeuser = $randstuff->randregex('\d\d\d\d\d\d\d\d'); # Prints random digits my $fakepass = $randstuff->randpattern("........"); # Prints random printable characters
my $mech = WWW::Mechanize->new();
$mech->get( $url ); #$mech->follow_link( n => 3 ); #$mech->follow_link( text_regex => qr/download this/i ); #$mech->follow_link( url => 'http://host.com/index.html' );
$mech->submit_form( form_number => 1, fields => { username => '$fakeuser', password => 'fakepass', } ); print "Logging into $url with $fakeuser and $fakepass\n";
Liz
On Fri, 30 Sep 2005 08:55, James Clark wrote:
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell.
Cheers, James.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 29-Sep-2005, at 16:52, Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l' where the I should be. Hopefully as this is inside .nz DNS we can get this one shut down quickly.
Shame the banks didn't have a "bank.nz" second-level domain to name their services under, eh? Joe (running away quickly)
Joe Abley wrote:
On 29-Sep-2005, at 16:52, Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l' where the I should be. Hopefully as this is inside .nz DNS we can get this one shut down quickly.
Shame the banks didn't have a "bank.nz" second-level domain to name their services under, eh?
Joe (running away quickly)
Yes. run :P For as long as the Registrars continue to be 'good netizens' and deal promptly with phishers, is that not a better way to go? At least it means noone can afford to turn a blind eye to the practise. .bank.nz would shield a proportion of users, but in the end, the users who fall for phishing attempts are unlikely to spot the difference between bank.nz and co.nz, IMHO. Mark.
Mark Foster wrote:
For as long as the Registrars continue to be 'good netizens' and deal promptly with phishers, is that not a better way to go? At least it means noone can afford to turn a blind eye to the practise.
I think we should be very, very wary of allowing Registrars to decide when domain names should be cancelled.
participants (8)
-
Andy Linton -
Craig Box -
Dave - Dave.net.nz -
James Clark -
Joe Abley -
Liz Q -
Mark Foster -
Steve Wright