Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 23 July 2009

Is your computer part of the Alliance and Leicester phishing botnet?

I've been seeing these for several days now, and they seem to have a new one every day or two. Thus far, I've seen 9 different domains, all pointing to Alliance & Leicester phishing scam pages - but here's the kicker - they're ALL hosted on DRONE COMPUTERS! (otherwise known as, they've all been compromised and are now part of a botnet).

http://hosts-file.net/misc/hpObserver_-_Alliance_and_Leicester_com_phishing_Scams.html

Incidentally, there only seems to be a handful of IP's involved at present, which makes it a rather small and amateurish botnet:

138.210.155.220 - No PTR (Failed to resolve)
209.169.140.119 - 140-119.mc.royaume.com
200.204.145.250 - 200-204-145-250.speedyterra.com.br
219.83.125.242 - No PTR (Failed to resolve)
220.253.19.46 - 220-253-19-46.VIC.netspace.net.au
75.199.109.38 - 38.sub-75-199-109.myvzw.com
86.52.63.134 - 56343f86.rev.stofanet.dk
65.202.231.12 - No PTR (Failed to resolve)
203.208.84.7 - 7.84.208.203.cable.dyn.mql.ncable.com.au
74.130.145.52 - 74-130-145-52.dhcp.insightbb.com
78.106.123.116 - 78-106-123-116.broadband.corbina.ru
81.233.253.133 - 81-233-253-133-no13.tbcn.telia.com
97.90.152.194 - 97-90-152-194.static.mtpk.ca.charter.com
99.37.122.59 - adsl-99-37-122-59.dsl.chcgil.sbcglobal.net
24.8.130.146 - c-24-8-130-146.hsd1.co.comcast.net
68.54.210.173 - c-68-54-210-173.hsd1.in.comcast.net
68.61.133.232 - c-68-61-133-232.hsd1.mi.comcast.net
69.250.79.6 - c-69-250-79-6.hsd1.md.comcast.net
76.115.11.52 - c-76-115-11-52.hsd1.wa.comcast.net
98.235.109.247 - c-98-235-109-247.hsd1.pa.comcast.net
98.235.149.126 - c-98-235-149-126.hsd1.pa.comcast.net
24.164.131.147 - cpe-24-164-131-147.nyc.res.rr.com
95.96.143.37 - dhcp-095-096-143-037.chello.nl
208.107.67.19 - host-19-67-107-208.midco.net
95.235.181.233 - host233-181-dynamic.235-95-r.retail.telecomitalia.it
88.132.124.178 - host-88-132-124-178.prtelecom.hu


As you can see, by far the worst affected at present, appears to be Comcast customers. I've not looked into which botnet is actually responsible for this yet, but no doubt the number of drones involved, will grow over the next few days or so.

As has been mentioned many many many times before;

1. DO NOT click links in e-mails. If you do not know your banks URL, look on your last bank statement, it will be on there, then MANUALLY type it into your browsers address bar.

2. DO NOT use HTML e-mail. Using HTML e-mail not only allows them to cloak the REAL URL you will be taken to, it also allows an infection vector - it may not be as pretty, but stick with PLAIN TEXT E-MAIL

3. YOUR BANK WILL NEVER ASK FOR THE DETAILS THESE PHISHING SCAMS ASK FOR!!! DO NOT BE FOOLED INTO HANDING IT OVER. IF IN DOUBT, CALL YOUR BANK!.

It should be noted, though it should also be obvious, Alliance and Leicester are not the only bank whose customers are being phished. I'm also seeing a slew of Halifax, Lloyds TSB, Abbey National, etc etc etc phishing scams coming into my inbox at present (and yes, I'm deliberately not filtering them out - I actually like receiving spam and phishing scams - provides for nice little blog articles such as this).

/edit 14:09 23-07-2009

This one just came in a couple minutes ago, making the number of domains now 10;

http://hosts-file.net/?s=www.mybank.alliance-leicester950.com

IP's:

76.115.11.52 - c-76-115-11-52.hsd1.wa.comcast.net
99.37.122.59 - adsl-99-37-122-59.dsl.chcgil.sbcglobal.net
200.204.145.250 - 200-204-145-250.speedyterra.com.br
88.132.124.178 - host-88-132-124-178.prtelecom.hu
68.54.210.173 - c-68-54-210-173.hsd1.in.comcast.net
97.90.152.194 - 97-90-152-194.static.mtpk.ca.charter.com
95.96.143.37 - dhcp-095-096-143-037.chello.nl
24.8.130.146 - c-24-8-130-146.hsd1.co.comcast.net
68.61.133.232 - c-68-61-133-232.hsd1.mi.comcast.net
74.210.187.149 - 74-210-187-149.hy.cgocable.ca

/edit 15:58 23-07-2009

www.mybank.alliance-leicester184.com

95.235.181.233 - host233-181-dynamic.235-95-r.retail.telecomitalia.it
74.75.104.93 - cpe-74-75-104-93.maine.res.rr.com
69.250.79.6 - c-69-250-79-6.hsd1.md.comcast.net
95.96.143.37 - dhcp-095-096-143-037.chello.nl
200.204.145.250 - 200-204-145-250.speedyterra.com.br
202.77.97.227 - mail.ykkbi.or.id
209.169.140.119 - 140-119.mc.royaume.com
219.83.125.242 - Resolution failed
63.26.180.234 - 1Cust5354.an4.chi30.da.uu.net
65.202.231.12 - Resolution failed

1 comment:

Gerhard W. Recher said...

this is our impact at clean mx
see: http://support.clean-mx.de/clean-mx/phishing?domain=alliance-leicester%.com

-- gerhard

| http://www.mybank.alliance-leicester450.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester396.com/index.php |
| http://www.mybank.alliance-leicester180.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester453.com/index.php |
| http://www.mybank.alliance-leicester084.com/ |
| http://www.mybank.alliance-leicester527.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester145.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester314.com/ |
| http://www.mybank.alliance-leicester524.com/ |
| http://www.mybank.alliance-leicester363.com/ |
| http://www.mybank.alliance-leicester023.com/ |
| http://www.mybank.alliance-leicester100.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester934.com/ |
| http://www.mybank.alliance-leicester543.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester329.com/ |
| http://www.mybank.alliance-leicester571.com/ |
| http://www.mybank.alliance-leicester340.com/ |
| http://www.mybank.alliance-leicester276.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester364.com/ |
| http://www.mybank.alliance-leicester005.com/ |
| http://www.mybank.alliance-leicester774.com/index.asp=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester406.com/ |
| http://www.mybank.alliance-leicester684.com/index=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester609.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester109.com/index=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester28.com/index=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester96.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester72.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester71.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester86.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester38.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester14.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester59.com |
| http://www.mybank.alliance-leicester65.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester73.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester41.com/index.aspcte=mybankrhnlogin/ |
| http://www.mybank.alliance-leicester24.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester41.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester55.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester93.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester59.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester29.com/index.aspct=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester78.com/index.aspcte=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester50.com/index.aspct=mybankrhnlogin/index.php |
| http://www.mybank.alliance-leicester79.com/index.aspcte=mybankrhnlogin/index.php |