All, You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward
It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.com Napier: 06-929-9082 Waipukurau: 06-928-0549 Description: header_logo From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz ongoing scam All, You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward
Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear. I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward
On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com> wrote:
It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut
Ray Taylor Taylor Communications ray(a)ruralkiwi.com <mailto:ray(a)ruralkiwi.com>
Napier: 06-929-9082 Waipukurau: 06-928-0549
<image001.png>
From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz ongoing scam
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog <http://list.waikato.ac.nz/mailman/listinfo/nznog>
We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward <nznog(a)daork.net> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com>> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com> Napier: 06-929-9082 Waipukurau: 06-928-0549 <image001.png> From: nznog-bounces(a)list.waikato.ac.nz<mailto:nznog-bounces(a)list.waikato.ac.nz> [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz<http://kfcdelivery.co.nz> ongoing scam All, You might've seen 'kfcdelivery.co<http://kfcdelivery.co/>.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog
I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" <Neil.Gardner(a)spark.co.nz> a écrit :
We've killed the site for spark users.
Cheers N
Sent from my mobile device. Please excuse brevity and any autocorrect issues.
*From:* Nathan Ward <nznog(a)daork.net> *Sent:* 18/10/2015 7:40 pm *To:* Ray Taylor *Cc:* nznog *Subject:* Re: [nznog] kfcdelivery.co.nz ongoing scam
Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today.
Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear.
I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped.
-- Nathan Ward
On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com> wrote:
It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut
Ray Taylor Taylor Communications ray(a)ruralkiwi.com
Napier: 06-929-9082 Waipukurau: 06-928-0549
<image001.png>
*From:* nznog-bounces(a)list.waikato.ac.nz [ mailto:nznog-bounces(a)list.waikato.ac.nz <nznog-bounces(a)list.waikato.ac.nz> ] *On Behalf Of *Nathan Ward *Sent:* Sunday, 18 October 2015 7:02 p.m. *To:* nznog *Subject:* [nznog] kfcdelivery.co.nz ongoing scam
All,
You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Still alive in other networks though but now Chrome warns it's a phishing site. Cheers Mauricio Freitas http://about.me/freitasm ________________________________ From: nznog-bounces(a)list.waikato.ac.nz <nznog-bounces(a)list.waikato.ac.nz> on behalf of Dan Wallis <mrdanwallis(a)gmail.com> Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" <Neil.Gardner(a)spark.co.nz<mailto:Neil.Gardner(a)spark.co.nz>> a écrit : We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward <nznog(a)daork.net<mailto:nznog(a)daork.net>> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz<http://kfcdelivery.co.nz> ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com>> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com> Napier: 06-929-9082<tel:06-929-9082> Waipukurau: 06-928-0549<tel:06-928-0549> <image001.png> From: nznog-bounces(a)list.waikato.ac.nz<mailto:nznog-bounces(a)list.waikato.ac.nz> [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz<http://kfcdelivery.co.nz> ongoing scam All, You might've seen 'kfcdelivery.co<http://kfcdelivery.co/>.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog
As does Firefox Cheers David From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Mauricio Freitas Sent: Monday, 19 October 2015 9:46 a.m. To: Dan Wallis <mrdanwallis(a)gmail.com>; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam Still alive in other networks though but now Chrome warns it's a phishing site. Cheers Mauricio Freitas http://about.me/freitasm ________________________________ From: nznog-bounces(a)list.waikato.ac.nz<mailto:nznog-bounces(a)list.waikato.ac.nz> <nznog-bounces(a)list.waikato.ac.nz<mailto:nznog-bounces(a)list.waikato.ac.nz>> on behalf of Dan Wallis <mrdanwallis(a)gmail.com<mailto:mrdanwallis(a)gmail.com>> Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nz<mailto:nznog(a)list.waikato.ac.nz> Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" <Neil.Gardner(a)spark.co.nz<mailto:Neil.Gardner(a)spark.co.nz>> a écrit : We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward <nznog(a)daork.net<mailto:nznog(a)daork.net>> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz<http://kfcdelivery.co.nz> ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com>> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.com<mailto:ray(a)ruralkiwi.com> Napier: 06-929-9082<tel:06-929-9082> Waipukurau: 06-928-0549<tel:06-928-0549> <image001.png> From: nznog-bounces(a)list.waikato.ac.nz<mailto:nznog-bounces(a)list.waikato.ac.nz> [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz<http://kfcdelivery.co.nz> ongoing scam All, You might've seen 'kfcdelivery.co<http://kfcdelivery.co/>.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog
The warning is from Cloudflare, none of the browsers I have generate a warning themselves - but if cloudflare have it that’s good enough :-) -- Nathan Ward
On 19/10/2015, at 09:48, David Mitchell <David.Mitchell(a)lanworx.co.nz> wrote:
As does Firefox
Cheers
David
From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Mauricio Freitas Sent: Monday, 19 October 2015 9:46 a.m. To: Dan Wallis <mrdanwallis(a)gmail.com>; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam
Still alive in other networks though but now Chrome warns it's a phishing site.
Cheers
Mauricio Freitas http://about.me/freitasm <http://about.me/freitasm>
From: nznog-bounces(a)list.waikato.ac.nz <mailto:nznog-bounces(a)list.waikato.ac.nz> <nznog-bounces(a)list.waikato.ac.nz <mailto:nznog-bounces(a)list.waikato.ac.nz>> on behalf of Dan Wallis <mrdanwallis(a)gmail.com <mailto:mrdanwallis(a)gmail.com>> Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nz <mailto:nznog(a)list.waikato.ac.nz> Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam
I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" <Neil.Gardner(a)spark.co.nz <mailto:Neil.Gardner(a)spark.co.nz>> a écrit : We've killed the site for spark users.
Cheers N
Sent from my mobile device. Please excuse brevity and any autocorrect issues.
From: Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz <http://kfcdelivery.co.nz/> ongoing scam
Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today.
Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear.
I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped.
-- Nathan Ward
On 18/10/2015, at 19:33, Ray Taylor <ray(a)ruralkiwi.com <mailto:ray(a)ruralkiwi.com>> wrote:
It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut
Ray Taylor Taylor Communications ray(a)ruralkiwi.com <mailto:ray(a)ruralkiwi.com>
Napier: 06-929-9082 <tel:06-929-9082> Waipukurau: 06-928-0549 <tel:06-928-0549>
<image001.png>
From: nznog-bounces(a)list.waikato.ac.nz <mailto:nznog-bounces(a)list.waikato.ac.nz> [mailto:nznog-bounces(a)list.waikato.ac.nz <mailto:nznog-bounces(a)list.waikato.ac.nz>] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz <http://kfcdelivery.co.nz/> ongoing scam
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog <http://list.waikato.ac.nz/mailman/listinfo/nznog>
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog <http://list.waikato.ac.nz/mailman/listinfo/nznog>_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi all This is back again, this time under “orderkfc.co.nz”. Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are. -- Nathan Ward
On 18/10/2015, at 19:01, Nathan Ward <nznog(a)daork.net> wrote:
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
Hi Nathan, We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue. Kind regards David David Morrison Chief Marketing Officer NZRS Ltd P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz W www.nzrs.net.nz S david.morrisonnz T @dotnz PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600
On 19/10/2015, at 11:18 pm, Nathan Ward <nznog(a)daork.net> wrote:
Hi all
This is back again, this time under “orderkfc.co.nz <http://orderkfc.co.nz/>”.
Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.
-- Nathan Ward
On 18/10/2015, at 19:01, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi, Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes. Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not. You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small. Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it: Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz.” static local-data: “www.orderkfc.co.nz. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz. 300 IN A 127.0.0.1” Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz." IN { type master; file “block”; }; Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1 -- Nathan Ward
On 19/10/2015, at 23:43, David Morrison <david(a)nzrs.net.nz> wrote:
Hi Nathan,
We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.
Kind regards
David
David Morrison Chief Marketing Officer NZRS Ltd
P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz <mailto:david(a)nzrs.net.nz> W www.nzrs.net.nz <http://www.nzrs.net.nz/> S david.morrisonnz T @dotnz
PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600
On 19/10/2015, at 11:18 pm, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
Hi all
This is back again, this time under “orderkfc.co.nz <http://orderkfc.co.nz/>”.
Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.
-- Nathan Ward
On 18/10/2015, at 19:01, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog
I have just had confirmation that Crazy Domains are changing Name Servers and suspending account now. Regards David Sent from my iPhone
On 19/10/2015, at 12:55 PM, Nathan Ward <nznog(a)daork.net> wrote:
Hi,
Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes.
Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not.
You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small.
Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it:
Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz.” static local-data: “www.orderkfc.co.nz. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz. 300 IN A 127.0.0.1”
Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz." IN { type master; file “block”; };
Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1
-- Nathan Ward
On 19/10/2015, at 23:43, David Morrison <david(a)nzrs.net.nz> wrote:
Hi Nathan,
We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.
Kind regards
David
David Morrison Chief Marketing Officer NZRS Ltd
P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz W www.nzrs.net.nz S david.morrisonnz T @dotnz
PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600
On 19/10/2015, at 11:18 pm, Nathan Ward <nznog(a)daork.net> wrote:
Hi all
This is back again, this time under “orderkfc.co.nz”.
Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.
-- Nathan Ward
On 18/10/2015, at 19:01, Nathan Ward <nznog(a)daork.net> wrote:
All,
You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
This has been updated as of about 2 minutes ago. Time to flush caches if you can :-) -- Nathan Ward
On 20/10/2015, at 01:15, David Morrison <david(a)nzrs.net.nz> wrote:
I have just had confirmation that Crazy Domains are changing Name Servers and suspending account now.
Regards David
Sent from my iPhone
On 19/10/2015, at 12:55 PM, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
Hi,
Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes.
Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not.
You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small.
Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it:
Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz <http://orderkfc.co.nz/>.” static local-data: “www.orderkfc.co.nz <http://www.orderkfc.co.nz/>. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz <http://orderkfc.co.nz/>. 300 IN A 127.0.0.1”
Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz <http://orderkfc.co.nz/>." IN { type master; file “block”; };
Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1
-- Nathan Ward
On 19/10/2015, at 23:43, David Morrison <david(a)nzrs.net.nz <mailto:david(a)nzrs.net.nz>> wrote:
Hi Nathan,
We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.
Kind regards
David
David Morrison Chief Marketing Officer NZRS Ltd
P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz <mailto:david(a)nzrs.net.nz> W www.nzrs.net.nz <http://www.nzrs.net.nz/> S david.morrisonnz T @dotnz
PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600
On 19/10/2015, at 11:18 pm, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
Hi all
This is back again, this time under “orderkfc.co.nz <http://orderkfc.co.nz/>”.
Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.
-- Nathan Ward
On 18/10/2015, at 19:01, Nathan Ward <nznog(a)daork.net <mailto:nznog(a)daork.net>> wrote:
All,
You might’ve seen ‘kfcdelivery.co <http://kfcdelivery.co/>.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog <http://list.waikato.ac.nz/mailman/listinfo/nznog>
Hi All, Wearing my NZITF hat here. We're tracking and co-ordinating a response with a number of parties to this. In short, we're on it. This post isn't to shut people up, but to reassure people that there is an org handling this (seeing as we don't have a CSIRT yet. Watch this space) If you have any more information on this or other similar things then feel free to email info(a)nzitf.org.nz and rest assured that someone with clue will look at it and make sure that something gets done. Regards, Dean Pemberton NZITF Board Member. On Sun, Oct 18, 2015 at 7:01 PM, Nathan Ward <nznog(a)daork.net> wrote:
All,
You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.
If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.
It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.
I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.
The logic of the site is roughly: <snip> # Validate input and set error if validation fails
if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }
# send data to servers anyway </snip>
-- Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
participants (8)
-
Dan Wallis -
David Mitchell -
David Morrison -
Dean Pemberton -
Mauricio Freitas -
Nathan Ward -
Neil Gardner -
Ray Taylor