Phishing for Postfinance (Part 2)

Posted by reto on 19 June, 2006 23:39

They are phishing for Postfinance logins again. And although the e-mail looks much nicer this time, they still have too many typos in it. ;-)
Another not so clever idea they had, was to use port 8081 for all their links, be it for the logo (yes, they didn't link it from the original site, but from their phishing server!) or the phishing URL (http://219.163.9.224:8081/index.php?email=plog@hu-gi.to [modified email domain]) itself. According to a whois query the ip range belongs to an ISP from tokyo:
reto@erna:~$ whois 219.163.9.224
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      219.160.0.0 - 219.165.255.255
netname:      OCN
descr:        OCN Provided By NTT-Communications which is ISP
descr:        in Chiyoda-ku, Tokyo, Japan
country:      JP
admin-c:      JNIC1-AP
tech-c:       JNIC1-AP
remarks:      ************************************************
remarks:      Allocated to JPNIC member. Authoritative
remarks:      information regarding assignments and allocation
remarks:      made from within this block can also be queried
remarks:      at whois.nic.ad.jp. To obtain an English output
remarks:      query whois -h whois.nic.ad.jp x.x.x.x/e
remarks:      Email address for spam or abuse complaints : abuse@ocn.ad.jp
remarks:      ************************************************
mnt-by:       MAINT-JPNIC
mnt-lower:    MAINT-JPNIC
changed:      hostmaster@apnic.net 20020408
changed:      hm-changed@apnic.net 20020904
changed:      ip-apnic@nic.ad.jp 20040413
status:       ALLOCATED PORTABLE
source:       APNIC

role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP
phone:        +81-3-5297-2311
fax-no:       +81-3-5297-2312
e-mail:       hostmaster@nic.ad.jp
admin-c:      JI13-AP
tech-c:       JE53-AP
nic-hdl:      JNIC1-AP
mnt-by:       MAINT-JPNIC
changed:      hm-changed@apnic.net 20041222
changed:      hm-changed@apnic.net 20050324
changed:      ip-apnic@nic.ad.jp 20051027
source:       APNIC

inetnum:      219.163.9.224 - 219.163.9.231
netname:      WATT-NET
descr:        System Watt Co.,Ltd.
country:      JP
admin-c:      HK1473JP
tech-c:       HK1473JP
remarks:      This information has been partially mirrored by APNIC from
remarks:      JPNIC. To obtain more specific information, please use the
remarks:      JPNIC WHOIS Gateway at
remarks:      http://www.nic.ad.jp/en/db/whois/en-gateway.html or
remarks:      whois.nic.ad.jp for WHOIS client. (The WHOIS client
remarks:      defaults to Japanese output, use the /e switch for English
remarks:      output)
changed:      apnic-ftp@nic.ad.jp 20020902
source:       JPNIC
Note that Thunderbird is doing well in the latest version and marks the mail as "Scam". This is handy for the less experienced users. Although it's probably too obvious this time.
Thunderbird Screen with the Postfinance phishing Mail
Another effective detection of phishing mails can be done by using the information SpamAssassin provides in it's X-Header:
X-Spam-Status: No, score=4.3 required=7.0 tests=HTML_MESSAGE,
	HTML_TAG_EXIST_TBODY,HTTPS_IP_MISMATCH,MIME_HTML_ONLY,NO_REAL_NAME,
	RCVD_IN_NJABL_DUL autolearn=disabled version=3.1.0
Note the HTTPS_IP_MISMATCH which indicates that the shown URL (https://www.yellownet.ch/app/verification/welcome.do) does not match the linked one (http://219.163.9.224:8081[...]).
I'm already excited to spot the next fishhook!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Related Articles
Generic Phishing Attack or an attack on PostFinance?
Update on phishing at PostFinance
Google bombing - the hype is not over
SpamPoison
SET your Passwords!