5月前半のフィッシング開始

いつものパターンでハニーポットにて5月分のフィッシングメールの送信を補足し始めました。6時間〜9時間のインターバルをあけて、1時間で400通〜8000通程度ずつ送信するというパターンを繰り返しています。たぶん、送信に利用するボットをラウンドロビンしている結果うちのハニーポットに順番が回ってくるのにこのくらいかかるのだろうと思います。5/12になって文面と誘導先が変わりました。

5/11

誘導されるフィッシングサイトはここ。

 http://rubycon.ch/cgi-bin/www.bankofamerica.com/login-secure/**.php?***

ドメインもIPアドレスもスイスです。

 rubycon.ch
 Holder of domain name:
 Rubycon AG
 CH-6828 Balerna
 Switzerland
 Contractual Language: Italian
 
 inetnum:        217.150.244.0 - 217.150.244.255
 netname:        NINE2
 descr:          Nine Internet Solutions AG
 country:        CH
 admin-c:        NINE-RIPE
 tech-c:         TH44-RIPE
 status:         ASSIGNED PA
 mnt-by:         NINE-MNT

掲載している文面はテキストのみ抜き出していますが、実際のHTMLメールにはオリンピックのロゴが貼り付けられていたりします。

 -------------------------------------------------------------------
 To: ***@***
 Subject: Bank of America Security Measures 
 From: onlinebanking@alert.bankofamerica.com 
 Date: Sun, 11 May 2008 22:23:34 +0900 
 -------------------------------------------------------------------
  
 Your Online Banking is Blocked
 
 Because of unusual number of invalid login attempts on you account, 
 we had to believe that, their might be some security problem on you
 account. So we have decided to put an extra verification process to
 ensure your identity and your account security. Please click on sign
 in to Online Banking to continue to the verification process and ensure
 your account security. It is all about your security. Thank you, and
 visit the customer service section.
 
 -------------------------------------------------------------------------
 
 Bank of America, N.A. Member FDIC. Equal Housing Lender 
 2007 Bank of America Corporation. All rights reserved.   

5/12

誘導されるフィッシングサイトはここ。

 http://onlineid.bankofamerica.com.id.5a6081e.com/***/***.html?iv=****

フィッシングサイトはゾンビPCタイプでFust-Fluxな感じです。ドメインは中国、IPアドレスは一度の問い合わせで10IP返ってきますが、世界中ばらばらです。それほど多くないですが10台以上のゾンビPC（？）が利用されています。

   Domain Name: 5A6081E.COM
   Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
   Whois Server: whois.dns.com.cn
   Name Server: NS10.MYWOWDNS.COM
   Name Server: NS2.MYWOWDNS.COM
   Name Server: NS5.MYWOWDNS.COM
   Name Server: NS6.MYWOWDNS.COM
   Status: clientTransferProhibited
   Updated Date: 11-may-2008
   Creation Date: 11-may-2008
   Expiration Date: 11-may-2009

 ------------------------------------------------------------------------
 To: ***.*** 
 Subject: Account Security Measures 
 From: security@bankofamerica.com 
 Date: Mon, 12 May 2008 09:01:16 +0900 
 ------------------------------------------------------------------------
 
 Dear valued Bank of America・member, 
 
 Due to a recent high number of fraudulent transactions, we
 have issued the following security requirements. 
 
 It has come to our attention that 98% of all fraudulent
 transactions are caused by fraudsters using stolen account
 information to purchase or sell non existant items. Thus we
 require our members to enroll in our SiteKey security upgrade,
 as part of our continuing commitment to protect your account
 and to reduce the instance of fraud on our website. After you
 submit the requested information, we will create a unique
 algorithm based on your personal computer, allowing us to
 recognize you in any future online banking sessions and thus
 immediately spotting any unauthorized access. By passing back
 and forth secret information that only you and Bank Of America
 know, you can feel even more secure with your online banking
 experience. We recognize you and you recognize us. If you could
 please take 5-10 minutes out of your online experience and enroll
 in the SiteKey security upgrade, you will not run into any future
 problems with the Bank Of America online banking service. However,
 failure to meet our security requirements will result in your
 account suspension. 
 
 We are requesting this information to verify and protect your
 identity. Federal regulations require all financial institutions
 to obtain, verify, and record identification from all persons
 opening new accounts or obtaining ongoing payment services. This
 is in order to prevent the use of the U.S. banking system in
 terrorist and other illegal activity. For these reasons, Bank
 Of America will utilize services provided by various credit reporting
 agencies to verify the information you submit to us. 
 
 Once you have enrolled in our SiteKey security upgrade your pending
 Bank Of America account transactions will not be interrupted and will
 continue as normal. 
 
 Please enroll in our SiteKey security upgrade by clicking here. 
 
 Thank you for your time. 
 
 Regards, 
 Security Department. 
 Bank Of America 
 

[カテゴリ:spam観察日記]

by jyake