Thursday, March 30, 2006

Another Phisherman from China


Earlier tonight I got the third "phishing" attempt in a week, this time spoofed as an e-mail from Paypal. The subject was obviously b.s., because Paypal would not email me to " Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: XXXXXXXXXXX).

It was just yesterday I got a second spoofed email from the same clown posing as a eBay buyer. After telling eBay, the web server is still up putting out web pages to unsuspecting customers. This is getting to be too much.

Here follows the text of the spoof email:


Date: Fri, 31 Mar 2006 09:04:34 +0530
To: mrlinuxhead@yahoo.com
Subject: Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: XXXXXXXXXXXXXXX)
From: "PayPal Security Service"

Web Bug from http://mail.yahoo.com/config/login?/pp.files/pixel.gif

Dear mrlinuxhead@yahoo.com,

It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before April 02, 2006.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/restrictedaccounts.asp



Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside


I snarfed the URL that points to: Approx. 40 charecters out, the REAL URL appears.

It looks like this:

http://rds.yahoo.com/_ylt%C2%A0LaSV66XXXXXXXXXXXXXXXXXX
XXXXX/**http%3a//ns2.bsasiagroup.com/.run/index.php?
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

With XXXXXXXXXXXXXXXXXX to keep the curious out of trouble. You get the idea.

The URL's point to a server in Hong Kong. I found this with DNSStuff .

bsasiagroup.com

bsasiagroup.com. MX IN 86400 mail.bsasiagroup.com. [Preference = 10]
bsasiagroup.com. NS IN 86400 ns2.bsasiagroup.com.
bsasiagroup.com. NS IN 86400 ns3.bsasiagroup.com.
mail.bsasiagroup.com. A IN 86400 210.17.251.159

bsasiagroup.com. NS IN 86400 ns2.bsasiagroup.com.
bsasiagroup.com. NS IN 86400 ns3.bsasiagroup.com.
bsasiagroup.com. MX IN 86400 mail.bsasiagroup.com. [Preference = 10]
ns2.bsasiagroup.com. A IN 86400 210.17.251.157
ns3.bsasiagroup.com. A IN 86400 210.17.251.158
mail.bsasiagroup.com. A IN 86400 210.17.251.159

IP address: 210.17.251.157
Reverse DNS: [No reverse DNS entry per ns1.pacific.net.hk.]
Reverse DNS authenticity: [Unknown]
ASN: 2706
ASN Name: HKSUPER-HK-AP (Pacific Supernet Limited)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): HK [Hong Kong]
Country IP Range: 210.17.128.0 to 210.17.255.255

Website Status: Active
Reverse IP: Web server hosts 18 websites (reverse ip tool requires free login)
Server Type: Apache/1.3.28 (Unix) PHP/4.3.3 mod_ssl/2.8.15 OpenSSL/0.9.7b
(Spry.com also uses Apache)
IP Address: 210.17.251.158 (ARIN & RIPE IP search)
IP Location: - Pacific Internet (hong Kong) Ltd
Blacklist Status: Clear
Cached Whois: 2006-03-30
Record Type: Domain Name
Monitor: Monitor or Backorder
Wildcard search: 'bsasiagroup' or 'sas ia group' in all domains.
Other TLDs:
.com .net .org .info .biz .us
X [5 available domains]
Name Server: NS1.BSASIAGROUP.COM
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created: 2002-04-29
Expires: 2007-04-29
Status: REGISTRAR-LOCK
Registrant:
LAM, GARY
BananaShake Design
RM 903, Westlands Centre,
20 Westlands Road, Quarry Bay hk
HK

Domain Name: BSASIAGROUP.COM

Administrative Contact:
LAM, GARY garygallery@yahoo.com
BananaShake Design
RM 903, Westlands Centre,
20 Westlands Road, Quarry Bay hk
HK
852 2516 9139 fax: 852 2510 9364

Technical Contact:
Network Solutions, LLC.
13200 Woodland Park Drive
Herndon, VA 20171-3025
US
1-888-642-9675 fax: 571-434-4620

Record expires on 29-Apr-2007.
Record created on 29-Apr-2002.

Domain servers in listed order:

NS1.BSASIAGROUP.COM 210.17.251.156
NS2.BSASIAGROUP.COM 210.17.251.157
NS3.BSASIAGROUP.COM 210.17.251.158

Someone sould call or email Mr. Lam for me and tell him to shut his server off??

Gary Lam (garygallery@yahoo.com) owns the domain.

His mail server (210.17.251.159) is infected my the W32.MyDoom virus.

2 Comments:

Blogger Paul Adams said...

I was searching blogs,and I found your site.Please,
accept my congratulations for your excellent work!
If you have a moment, please visit my site:
domain names center
It pretty much covers domain names center related issues.
Have a good day!

1:58 AM  
Blogger Paul Adams said...

I was searching blogs,and I found your site.Please,
accept my congratulations for your excellent work!
If you have a moment, please visit my site:
domain names center
It pretty much covers domain names center related issues.
Have a good day!

1:58 AM  

Post a Comment

<< Home