Bankdirect phish
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l' where the I should be. Hopefully as this is inside .nz DNS we can get this one shut down quickly. The domain is registered with DiscountDomains.co.nz to a RODNEY GUISTWITE. admin_contact_name: RODNEY GUISTWITE admin_contact_address1: 9740 CONIFER LANE admin_contact_city: MURRELLS INLET admin_contact_country: US (UNITED STATES) admin_contact_phone: +84 3 6501641 admin_contact_email: directmain(a)yahoo.com The email headers: Received: from firewall.itpartners.co.nz ([10.7.0.254]) by penfold.itpartners.co.nz with Microsoft SMTPSVC(6.0.3790.1830); Fri, 30 Sep 2005 08:46:23 +1200 Received: from [218.233.125.18] (helo=-1208382648) by firewall.itpartners.co.nz with smtp (Exim 4.34) id 1EL5Iv-0007GJ-5u for craig(a)itpartners.co.nz; Fri, 30 Sep 2005 08:47:04 +1200 Received: from bankdirect.co.nz (-1208528168 [-1208791160]) by google.com (Qmailv1) with ESMTP id 554E5D0054 for <craig(a)itpartners.co.nz>; Thu, 29 Sep 2005 13:13:12 -0700 Date: Thu, 29 Sep 2005 13:13:12 -0700 From: Bankdirect Accounts <accounts(a)bankdirect.co.nz> X-Mailer: The Bat! (v2.00.8) Personal X-Priority: 3 Message-ID: <5432025998.20050929131312(a)bankdirect.co.nz> To: Craig <craig(a)itpartners.co.nz> Subject: New Fraud-Prevention system. MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------C0723C19AFB5862" X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Spam-Score: -5.8 {-----} X-Spam-Report: No, hits=-5.8 required=5.0 tests=ALL_TRUSTED,BAYES_00,HTML_MESSAGE,HTML_TAG_EXIST_TBODY autolearn=ham version=3.0.2 Return-Path: accounts(a)bankdirect.co.nz X-OriginalArrivalTime: 29 Sep 2005 20:46:23.0798 (UTC) FILETIME=[DAB2BD60:01C5C536] Craig Box Phone 07 957 2653 IT Partners Ltd Fax 07 957 2659 PO Box 9361 Mobile 021 475 869 Hamilton, New Zealand _________________________________________________________________ #include <standard-disclaimer.h> _________________________________________________________________
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell. Cheers, James.
James Clark wrote:
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell.
me too... mmm, it's beer day. sorry, just had to.
If a few of you were to run this in a loop it may screw things up for them #!/usr/bin/perl -w my $url = "http://www.bankdlrect.co.nz/Logon.html"; use WWW::Mechanize; use String::Random; $randstuff = new String::Random; my $fakeuser = $randstuff->randregex('\d\d\d\d\d\d\d\d'); # Prints random digits my $fakepass = $randstuff->randpattern("........"); # Prints random printable characters my $mech = WWW::Mechanize->new(); $mech->get( $url ); #$mech->follow_link( n => 3 ); #$mech->follow_link( text_regex => qr/download this/i ); #$mech->follow_link( url => 'http://host.com/index.html' ); $mech->submit_form( form_number => 1, fields => { username => '$fakeuser', password => 'fakepass', } ); print "Logging into $url with $fakeuser and $fakepass\n"; Liz On Fri, 30 Sep 2005 08:55, James Clark wrote:
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell.
Cheers, James.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- It's a poor sort of memory that only works backwards.
nice. There are a few no-hat attacker sites out there who delight in causing chaos to ordinary people.. (growl, rant deleted) pity there are no "attack the attackers" sites.. are we scared of them or something ? S On Fri, 2005-09-30 at 09:49 +1200, Liz Q wrote:
If a few of you were to run this in a loop it may screw things up for them
#!/usr/bin/perl -w
my $url = "http://www.bankdlrect.co.nz/Logon.html";
use WWW::Mechanize; use String::Random;
$randstuff = new String::Random; my $fakeuser = $randstuff->randregex('\d\d\d\d\d\d\d\d'); # Prints random digits my $fakepass = $randstuff->randpattern("........"); # Prints random printable characters
my $mech = WWW::Mechanize->new();
$mech->get( $url ); #$mech->follow_link( n => 3 ); #$mech->follow_link( text_regex => qr/download this/i ); #$mech->follow_link( url => 'http://host.com/index.html' );
$mech->submit_form( form_number => 1, fields => { username => '$fakeuser', password => 'fakepass', } ); print "Logging into $url with $fakeuser and $fakepass\n";
Liz
On Fri, 30 Sep 2005 08:55, James Clark wrote:
Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >"
I've seen this phish aswell.
Cheers, James.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 29-Sep-2005, at 16:52, Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l' where the I should be. Hopefully as this is inside .nz DNS we can get this one shut down quickly.
Shame the banks didn't have a "bank.nz" second-level domain to name their services under, eh? Joe (running away quickly)
Joe Abley wrote:
On 29-Sep-2005, at 16:52, Craig Box wrote:
Just got a phish for BankDirect. The telling part: "<a href="http://www.bankdlrect.co.nz/index_secure.asp" >" - notice the 'l' where the I should be. Hopefully as this is inside .nz DNS we can get this one shut down quickly.
Shame the banks didn't have a "bank.nz" second-level domain to name their services under, eh?
Joe (running away quickly)
Yes. run :P For as long as the Registrars continue to be 'good netizens' and deal promptly with phishers, is that not a better way to go? At least it means noone can afford to turn a blind eye to the practise. .bank.nz would shield a proportion of users, but in the end, the users who fall for phishing attempts are unlikely to spot the difference between bank.nz and co.nz, IMHO. Mark.
Mark Foster wrote:
For as long as the Registrars continue to be 'good netizens' and deal promptly with phishers, is that not a better way to go? At least it means noone can afford to turn a blind eye to the practise.
I think we should be very, very wary of allowing Registrars to decide when domain names should be cancelled.
participants (8)
-
Andy Linton -
Craig Box -
Dave - Dave.net.nz -
James Clark -
Joe Abley -
Liz Q -
Mark Foster -
Steve Wright