Busy Little Phishing Botnet

Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

  • dir10.cz
  • adobeflasplayer10.com
  • isapid.cz
  • es-pos1.es
  • es-pos0.es
  • frankiezfunz.com
  • sofia16-online18.com
  • es-pos3.es
  • idsrv1.es
  • serverdemobank.com
  • idsrv2.es
  • id-rt01.cz
  • aktien-news-online24.com
  • id-rt04.cz
  • flashplayercolonial.com
  • srv-3id.cz
  • clrtemp.cz
  • file033.cz
  • file11.cz
  • sofia16-online24.com
  • ref-id.es
  • idsrv4.es
  • player10update.com
  • bankamericademo.com
  • dir017.cz
  • idrtd.cz
  • 0177.es
  • id-ref.cz
  • serversupdates.com
  • srv-1id.cz
  • 72.in-addr.arpa
  • id0.cz
  • bmspeedlab.org
  • id-rt03.cz
  • democolonialbank.com
  • refid73.es
  • refid70.es
  • identify-3.cz
  • colonialshow.com
  • demobankofamerica.com
  • cs03.cz
  • isapi10.cz
  • es-pos2.es
  • id-ref.be
  • 0104.es
  • idsrv10.es
  • bumospo.com
  • hawaiiantel.net
  • isdir.cz
  • cs07.cz
  • cs01.cz
  • identify-4.cz
  • ptil.cz
  • sofia18-online.com
  • idsrv11.es
  • installadobeplayer.com
  • es-pos7.es
  • colonialdemo.com
  • bmspeedlab.com
  • id-rt02.cz
  • srv-4id.cz
  • fasttrk.cz
  • bumotor.org
  • srv-7id.cz
  • bumotor.net
  • identify-1.cz
  • bumospe.tk
  • onlineserverdownload.com
  • clasmatessup.com
  • everettzfunz.com
  • file17.cz
  • demoversions10.com
  • tempdir.cz
  • demoservers1.com

Unlike some other fast flux users, these guys seem to go to different gTLDs as needed:

  • 1 — be
  • 23 — com
  • 29 — cz
  • 15 — es
  • 2 — net
  • 2 — org
  • 1 — tk

The hosts have largely been the same over this time so you can track them using passive DNS to discover their new names. Almost all of these are detected using standard anti-phishing tools.

2 Responses to “Busy Little Phishing Botnet”

December 17, 2008 at 3:27 pm, asicard said:

testing comment system 🙂

January 19, 2009 at 9:25 am, Gandi Abuse Team said:

Sincerely,

Hello guys,

As a whitehat registrar, active in the fight against phishing and deviant internet practices, Gandi maintains a zero-tolerance policy regarding phishing.

For each fraudulent domain that was bought to our attention, we proceeded with an internal investigation of the claims of abuse and took action as required.

After the next nameserver reload (and propagation period) the phishing scams using the domain name in question was taken down.

Thank you for your help in reducing crime on the internet.

Sincerely,
Gandi.net Abuse Department

Comments are closed.