Phishing for Postfinance (Part 2)
They are phishing for Postfinance logins again. And although the e-mail looks much nicer this time, they still have too many typos in it. ;-)
Another not so clever idea they had, was to use port 8081 for all their links, be it for the logo (yes, they didn't link it from the original site, but from their phishing server!) or the phishing URL (http://219.163.9.224:8081/index.php?email=plog@hu-gi.to [modified email domain]) itself. According to a whois query the ip range belongs to an ISP from tokyo:
Another effective detection of phishing mails can be done by using the information SpamAssassin provides in it's X-Header:
I'm already excited to spot the next fishhook!
Another not so clever idea they had, was to use port 8081 for all their links, be it for the logo (yes, they didn't link it from the original site, but from their phishing server!) or the phishing URL (http://219.163.9.224:8081/index.php?email=plog@hu-gi.to [modified email domain]) itself. According to a whois query the ip range belongs to an ISP from tokyo:
reto@erna:~$ whois 219.163.9.224 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 219.160.0.0 - 219.165.255.255 netname: OCN descr: OCN Provided By NTT-Communications which is ISP descr: in Chiyoda-ku, Tokyo, Japan country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP remarks: ************************************************ remarks: Allocated to JPNIC member. Authoritative remarks: information regarding assignments and allocation remarks: made from within this block can also be queried remarks: at whois.nic.ad.jp. To obtain an English output remarks: query whois -h whois.nic.ad.jp x.x.x.x/e remarks: Email address for spam or abuse complaints : abuse@ocn.ad.jp remarks: ************************************************ mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: hostmaster@apnic.net 20020408 changed: hm-changed@apnic.net 20020904 changed: ip-apnic@nic.ad.jp 20040413 status: ALLOCATED PORTABLE source: APNIC role: Japan Network Information Center address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda address: Chiyoda-ku, Tokyo 101-0047, Japan country: JP phone: +81-3-5297-2311 fax-no: +81-3-5297-2312 e-mail: hostmaster@nic.ad.jp admin-c: JI13-AP tech-c: JE53-AP nic-hdl: JNIC1-AP mnt-by: MAINT-JPNIC changed: hm-changed@apnic.net 20041222 changed: hm-changed@apnic.net 20050324 changed: ip-apnic@nic.ad.jp 20051027 source: APNIC inetnum: 219.163.9.224 - 219.163.9.231 netname: WATT-NET descr: System Watt Co.,Ltd. country: JP admin-c: HK1473JP tech-c: HK1473JP remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC WHOIS Gateway at remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client remarks: defaults to Japanese output, use the /e switch for English remarks: output) changed: apnic-ftp@nic.ad.jp 20020902 source: JPNICNote that Thunderbird is doing well in the latest version and marks the mail as "Scam". This is handy for the less experienced users. Although it's probably too obvious this time.
Another effective detection of phishing mails can be done by using the information SpamAssassin provides in it's X-Header:
X-Spam-Status: No, score=4.3 required=7.0 tests=HTML_MESSAGE, HTML_TAG_EXIST_TBODY,HTTPS_IP_MISMATCH,MIME_HTML_ONLY,NO_REAL_NAME, RCVD_IN_NJABL_DUL autolearn=disabled version=3.1.0Note the
HTTPS_IP_MISMATCH which indicates that the shown URL (https://www.yellownet.ch/app/verification/welcome.do) does not match the linked one (http://219.163.9.224:8081[...]).I'm already excited to spot the next fishhook!
Information and Links
Join the fray by commenting, tracking what others have to say, or linking to it from your blog.
