The PhishLabs Blog


Phishing for bitcoins
Posted on: November 11, 2013

PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:


While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM.     CN.COM isn’t a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM.    Interestingly, CentralNic also provides a WHOIS service for these domains.   In this case, we can see that the domain name was registered on November 9th using a Chinese identity:

Domain ID:CNIC-DO1605313
Domain Name:RAA.CN.COM
Created On:2013-11-09T04:27:02.0Z
Expiration Date:2014-11-09T23:59:59.0Z
Registrant ID:H4348057
Registrant Name:liu dehua
Registrant Organization:liu dehua
Registrant Street1:beijingshibeijingshibeijingshi
Registrant City:beijing
Registrant State/Province:Beijing
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.86.1083298850
Registrant FAX:+86.86.1083298850
Admin ID:H4348060
Admin Name:liu dehua
Admin Organization:liu dehua
Admin Street1:beijingshibeijingshibeijingshi
Admin City:beijing
Admin State/Province:Beijing
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.86.1083298850
Admin FAX:+86.86.1083298850
Tech ID:H4348063
Tech Name:liu dehua
Tech Organization:liu dehua
Tech Street1:beijingshibeijingshibeijingshi
Tech City:beijing
Tech State/Province:Beijing
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.86.1083298850
Tech FAX:+86.86.1083298850
Billing ID:H4348066
Billing Name:liu dehua
Billing Organization:liu dehua
Billing Street1:beijingshibeijingshibeijingshi
Billing City:beijing
Billing State/Province:Beijing
Billing Postal Code:100000
Billing Country:CN
Billing Phone:+86.86.1083298850
Billing FAX:+86.86.1083298850
Sponsoring Registrar ID:H3245827
Sponsoring Registrar IANA ID:697
Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED
Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T 
Sponsoring Registrar City:Hongkong
Sponsoring Registrar State/Province: 
Sponsoring Registrar Postal Code:999077 
Sponsoring Registrar Country:CN
Sponsoring Registrar Phone:+852-35685366
Sponsoring Registrar FAX:+852-35637160 
Sponsoring Registrar
Name Server:F1G1NS1.DNSPOD.NET
Name Server:F1G1NS2.DNSPOD.NET

Further analysis and mining of our spam collection reveals the URL that was sent out:

When visited, this URL directs users to the phishing form page above.    This appears to be a legitimate Chinese language web site.    It could be compromised or the attackers could be affiliated with the site some how.

Bitcoin users should be wary of suspicious emails – as always!

read more +

What’s next for DDoS defense?
Posted on: October 15, 2013

Over the last year or so, I’ve frequently been involved in discussions about DDoS botnets and their activities. Many of the security practitioners I talk with have been under pressure to better protect against DDoS threats. And a common question I get is “What else should I be doing that will make a difference?” Which is a valid question considering many already have invested in anti-DDoS capabilities and/or have relationships with mitigation service providers. 

My response is that security teams need to shift to a more proactive strategy of defense that is driven by intelligence on the specific DDoS threats that are likely to target their sites. They need detailed information on current attack capabilities and they need the visibility to detect when an attack is coming at them. And they need to apply that intelligence to mitigation layers beforehand where possible.

On October 22, I will be giving a talk that dives deeper into this and walks through how to implement a DDoS protection strategy that is proactive and driven by threat intelligence. It’s free to attend and will include Q&A. If you’re interested, sign up here:

- John LaCour

read more +

Why phishing matters
Posted on: August 22, 2013

Almost every day I speak with a bank somewhere about phishing. I ask them how much of a threat is it, what are they doing about it, and how does it affect their business. Surprisingly, the answers I get vary quite a bit from one organization to another. Most are concerned about the costs of fraud losses. In the US, due to Regulation E, banks must make customers whole when their account is compromised and funds are stolen. Many banks are also concerned about the costs of dealing with phishing and similar attacks. The overhead costs due to fraud are significant. Call centers, fraud investigations, suspicious activity reports (SARS), and other bank functions are involved in managing fraud. Interestingly, not all of the banks we speak to are focused on the brand and reputation effects of phishing as they should be.

According to a Harris Interactive poll conducted on behalf of Entersekt, 71% of US adults would be somewhat likely to switch banks if they became a victim of phishing. That is significant. According to one author, a reduction of 5% in customer churn can improve a bank’s profits 80%. That strikes me as high, but whatever the numbers, customer churn has a significant impact on the bottom line.

Some other interesting notes from the poll:

  • 85% of US adults with banking accounts are at least somewhat concerned about online banking fraud
  • 58% of US adults would be at least somewhat willing to take an active role in securing their online banking transactions

- John LaCour

read more +

Phishing site asks to upload image of their driver’s license and phone bill
Posted on: May 23, 2012

PhishLabs has discovered a new variant of a common phishing page that prompts users to upload a scanned copy of their driver’s license and telephone bill. The scam detected targets customers of a large US bank.


Most likely the phisher is attempting to circumvent additional security measures by the bank such as telephone based authentication systems or they may be attempting change the customers account information via a call center. For most banks, you would need additional information that online banking credentials for such an attack to be successful.

read more +

PhishLabs presenting at the Anti-Phishing Working Group CeCOS conference
Posted on: April 19, 2012

John LaCour, CEO of PhishLabs, is presenting at the forthcoming APWG Counter E-Crime Operations Summit in Prague. Mr. LaCour’s presentation title “Viscious Vishing Vanquished” will discuss how vishing attacks and include real world examples of vishing scams.



PhishLabs is looking forward to joining our colleagues in Prague to continue the fight against cyber-crime and online fraud.


ABOUT the Counter eCrime Operations Summit

CeCOS VI, the second APWG conference held in Europe, is an open conference for members of the electronic-crime fighting community, hosted by the APWG and its Conference Partner AVG, Program Partners: The Council of Europe and Organization for Security and Cooperation in Europe, and sponsored by AVG, Google, Microsoft, MarkMonitor, ESET, Telefonica and ICANN. The CeCOS programs are widely considered the most vital events to investigators and managers of electronic crime from across the private and public sectors.




read more +

© 2014
All Rights Reserved - PhishLabs
Terms of Service - Privacy Policy