DNS wildcards used in new phishing attacks

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 9 08:43:45 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

"Phishing Net" is the name I have given to the email "phishing" fraud
detector built into MailScanner.
See www.phishingnet.info if you want to see some of the gory details.

Peter Russell wrote:

> Forgive me if this is a silly question - phishing net is using the
> latest mailscanner? Is this a name given to a feature of MS?
>
> Pete
>
> Julian Field wrote:
>
>> As highlighted here on Slashdot:
>>
>> http://slashdot.org/articles/05/03/08/0052235.shtml
>>
>> which links to the full Netcraft article at
>>
>> http://news.netcraft.com/archives/2005/03/07/phishers_use_wildcard_dns_to_build_convincing_bait_urls.html
>>
>>
>>
>> I have just tested the examples given by Netcraft, and the current
>> phishing net already traps these phishing attacks and needs no changes
>> or improvements in this case.
>>
>> If you are running an old version of the phishing net, I strongly advise
>> you to upgrade. You should at least test the 3 URLs given by Netcraft
>> and ensure that you can catch them. Use an HTML segment like this:
>>
>> Barclays bank wildcard DNS attack here:
>> <a
>> href="http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/">barclays.co.uk</a>
>>
>>
>> <a
>> href="http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2">barclays.co.uk</a>
>>
>>
>> <a
>> href="http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/">barclays.co.uk</a>
>>
>>
>>
>> Beware that the above paragraph should have 4 lines in it, in case my
>> mail client messes with it.
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list