5月前半のフィッシング開始
Published: 2008/05/12
いつものパターンでハニーポットにて5月分のフィッシングメールの送信を補足し始めました。6時間〜9時間のインターバルをあけて、1時間で400通〜8000通程度ずつ送信するというパターンを繰り返しています。たぶん、送信に利用するボットをラウンドロビンしている結果うちのハニーポットに順番が回ってくるのにこのくらいかかるのだろうと思います。5/12になって文面と誘導先が変わりました。
5/11
誘導されるフィッシングサイトはここ。
http://rubycon.ch/cgi-bin/www.bankofamerica.com/login-secure/**.php?***
ドメインもIPアドレスもスイスです。
rubycon.ch Holder of domain name: Rubycon AG CH-6828 Balerna Switzerland Contractual Language: Italian inetnum: 217.150.244.0 - 217.150.244.255 netname: NINE2 descr: Nine Internet Solutions AG country: CH admin-c: NINE-RIPE tech-c: TH44-RIPE status: ASSIGNED PA mnt-by: NINE-MNT
掲載している文面はテキストのみ抜き出していますが、実際のHTMLメールにはオリンピックのロゴが貼り付けられていたりします。
------------------------------------------------------------------- To: ***@*** Subject: Bank of America Security Measures From: onlinebanking@alert.bankofamerica.com Date: Sun, 11 May 2008 22:23:34 +0900 ------------------------------------------------------------------- Your Online Banking is Blocked Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account. So we have decided to put an extra verification process to ensure your identity and your account security. Please click on sign in to Online Banking to continue to the verification process and ensure your account security. It is all about your security. Thank you, and visit the customer service section. ------------------------------------------------------------------------- Bank of America, N.A. Member FDIC. Equal Housing Lender 2007 Bank of America Corporation. All rights reserved.
5/12
誘導されるフィッシングサイトはここ。
http://onlineid.bankofamerica.com.id.5a6081e.com/***/***.html?iv=****
フィッシングサイトはゾンビPCタイプでFust-Fluxな感じです。ドメインは中国、IPアドレスは一度の問い合わせで10IP返ってきますが、世界中ばらばらです。それほど多くないですが10台以上のゾンビPC(?)が利用されています。
Domain Name: 5A6081E.COM Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN Whois Server: whois.dns.com.cn Name Server: NS10.MYWOWDNS.COM Name Server: NS2.MYWOWDNS.COM Name Server: NS5.MYWOWDNS.COM Name Server: NS6.MYWOWDNS.COM Status: clientTransferProhibited Updated Date: 11-may-2008 Creation Date: 11-may-2008 Expiration Date: 11-may-2009
------------------------------------------------------------------------ To: ***.*** Subject: Account Security Measures From: security@bankofamerica.com Date: Mon, 12 May 2008 09:01:16 +0900 ------------------------------------------------------------------------ Dear valued Bank of America・member, Due to a recent high number of fraudulent transactions, we have issued the following security requirements. It has come to our attention that 98% of all fraudulent transactions are caused by fraudsters using stolen account information to purchase or sell non existant items. Thus we require our members to enroll in our SiteKey security upgrade, as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. After you submit the requested information, we will create a unique algorithm based on your personal computer, allowing us to recognize you in any future online banking sessions and thus immediately spotting any unauthorized access. By passing back and forth secret information that only you and Bank Of America know, you can feel even more secure with your online banking experience. We recognize you and you recognize us. If you could please take 5-10 minutes out of your online experience and enroll in the SiteKey security upgrade, you will not run into any future problems with the Bank Of America online banking service. However, failure to meet our security requirements will result in your account suspension. We are requesting this information to verify and protect your identity. Federal regulations require all financial institutions to obtain, verify, and record identification from all persons opening new accounts or obtaining ongoing payment services. This is in order to prevent the use of the U.S. banking system in terrorist and other illegal activity. For these reasons, Bank Of America will utilize services provided by various credit reporting agencies to verify the information you submit to us. Once you have enrolled in our SiteKey security upgrade your pending Bank Of America account transactions will not be interrupted and will continue as normal. Please enroll in our SiteKey security upgrade by clicking here. Thank you for your time. Regards, Security Department. Bank Of America
by jyake