PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:
While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM. CN.COM isn’t a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM. Interestingly, CentralNic also provides a WHOIS service for these domains. In this case, we can see that the domain name was registered on November 9th using a Chinese identity:
Domain ID:CNIC-DO1605313 Domain Name:RAA.CN.COM Created On:2013-11-09T04:27:02.0Z Expiration Date:2014-11-09T23:59:59.0Z Status:TRANSFER PROHIBITED Status:ADD PERIOD Registrant ID:H4348057 Registrant Name:liu dehua Registrant Organization:liu dehua Registrant Street1:beijingshibeijingshibeijingshi Registrant City:beijing Registrant State/Province:Beijing Registrant Postal Code:100000 Registrant Country:CN Registrant Phone:+86.86.1083298850 Registrant FAX:+86.86.1083298850 Registrant Email:email@example.com Admin ID:H4348060 Admin Name:liu dehua Admin Organization:liu dehua Admin Street1:beijingshibeijingshibeijingshi Admin City:beijing Admin State/Province:Beijing Admin Postal Code:100000 Admin Country:CN Admin Phone:+86.86.1083298850 Admin FAX:+86.86.1083298850 Admin Email:firstname.lastname@example.org Tech ID:H4348063 Tech Name:liu dehua Tech Organization:liu dehua Tech Street1:beijingshibeijingshibeijingshi Tech City:beijing Tech State/Province:Beijing Tech Postal Code:100000 Tech Country:CN Tech Phone:+86.86.1083298850 Tech FAX:+86.86.1083298850 Tech Email:email@example.com Billing ID:H4348066 Billing Name:liu dehua Billing Organization:liu dehua Billing Street1:beijingshibeijingshibeijingshi Billing City:beijing Billing State/Province:Beijing Billing Postal Code:100000 Billing Country:CN Billing Phone:+86.86.1083298850 Billing FAX:+86.86.1083298850 Billing Email:firstname.lastname@example.org Sponsoring Registrar ID:H3245827 Sponsoring Registrar IANA ID:697 Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T Sponsoring Registrar City:Hongkong Sponsoring Registrar State/Province: Sponsoring Registrar Postal Code:999077 Sponsoring Registrar Country:CN Sponsoring Registrar Phone:+852-35685366 Sponsoring Registrar FAX:+852-35637160 Sponsoring Registrar Website:www.tnet.hk Name Server:F1G1NS1.DNSPOD.NET Name Server:F1G1NS2.DNSPOD.NET DNSSEC:Unsigned
Further analysis and mining of our spam collection reveals the URL that was sent out:
When visited, this URL directs users to the phishing form page above. This appears to be a legitimate Chinese language web site. It could be compromised or the attackers could be affiliated with the site some how.
Bitcoin users should be wary of suspicious emails – as always!read more +
Over the last year or so, I’ve frequently been involved in discussions about DDoS botnets and their activities. Many of the security practitioners I talk with have been under pressure to better protect against DDoS threats. And a common question I get is “What else should I be doing that will make a difference?” Which is a valid question considering many already have invested in anti-DDoS capabilities and/or have relationships with mitigation service providers.
My response is that security teams need to shift to a more proactive strategy of defense that is driven by intelligence on the specific DDoS threats that are likely to target their sites. They need detailed information on current attack capabilities and they need the visibility to detect when an attack is coming at them. And they need to apply that intelligence to mitigation layers beforehand where possible.
On October 22, I will be giving a talk that dives deeper into this and walks through how to implement a DDoS protection strategy that is proactive and driven by threat intelligence. It’s free to attend and will include Q&A. If you’re interested, sign up here: http://www.phishlabs.com/using-threat-intelligence-to-protect-against-ddos-threats/
- John LaCourread more +
Almost every day I speak with a bank somewhere about phishing. I ask them how much of a threat is it, what are they doing about it, and how does it affect their business. Surprisingly, the answers I get vary quite a bit from one organization to another. Most are concerned about the costs of fraud losses. In the US, due to Regulation E, banks must make customers whole when their account is compromised and funds are stolen. Many banks are also concerned about the costs of dealing with phishing and similar attacks. The overhead costs due to fraud are significant. Call centers, fraud investigations, suspicious activity reports (SARS), and other bank functions are involved in managing fraud. Interestingly, not all of the banks we speak to are focused on the brand and reputation effects of phishing as they should be.
According to a Harris Interactive poll conducted on behalf of Entersekt, 71% of US adults would be somewhat likely to switch banks if they became a victim of phishing. That is significant. According to one author, a reduction of 5% in customer churn can improve a bank’s profits 80%. That strikes me as high, but whatever the numbers, customer churn has a significant impact on the bottom line.
Some other interesting notes from the poll:
- John LaCourread more +
PhishLabs has discovered a new variant of a common phishing page that prompts users to upload a scanned copy of their driver’s license and telephone bill. The scam detected targets customers of a large US bank.
Most likely the phisher is attempting to circumvent additional security measures by the bank such as telephone based authentication systems or they may be attempting change the customers account information via a call center. For most banks, you would need additional information that online banking credentials for such an attack to be successful.read more +
John LaCour, CEO of PhishLabs, is presenting at the forthcoming APWG Counter E-Crime Operations Summit in Prague. Mr. LaCour’s presentation title “Viscious Vishing Vanquished” will discuss how vishing attacks and include real world examples of vishing scams.
PhishLabs is looking forward to joining our colleagues in Prague to continue the fight against cyber-crime and online fraud.
ABOUT the Counter eCrime Operations Summit
CeCOS VI, the second APWG conference held in Europe, is an open conference for members of the electronic-crime fighting community, hosted by the APWG and its Conference Partner AVG, Program Partners: The Council of Europe and Organization for Security and Cooperation in Europe, and sponsored by AVG, Google, Microsoft, MarkMonitor, ESET, Telefonica and ICANN. The CeCOS programs are widely considered the most vital events to investigators and managers of electronic crime from across the private and public sectors.
CONFERENCE REGISTRATION:read more +