IT Professionals

To Catch A Phisherman

Posted by on Jan 30, 2007 | 7 Comments

Today I received an email from a Phishing schemer trying to convince me that they were Amazon. Tired of this, I decided to see how deep this scam actually went. After investigating the header information, doing some backtracing, I was able to determine the following.

The source Web site is funhumour.net. It appears to be legit and a victim of hacking based on the location of the problem page loaded with a fictional Amazon page is located in this directory: /humour /galeries /albums /userpics /10052 /update/

Now, after some research, it looks like the breakdown is as follows: The site is of French origin with Gandi.net as the registrar. The email origin actually came from an IP tracing back to Samsung Networks Inc located in Korea. Its origin could be a possible spoof, but it’s difficult to say for sure. The name server the domain is using is based in Germany and is provided by schlund.de.

So what tidbit of info actually holds some truth here? I believe the Korean IP is the best clue. Unlike the French and German relation, which are not all that far from one another, the addition of the Korean IP reporting to be an office at Samsung Networks seems most suspect.

Still, there is no way to be 100% sure that this is not just a zombie box sending out crap messages…

At the end of the day, all I can say is that its enough to make a guy’s head explode. With any luck, one of the listed sources above is embarrassed enough to take some action. The smart money would be emailing the Web site’s owner, I suppose. But as sick of this as I am, I’ll let someone else do it this time. I’m simply too fed up with a non-stop flood of this crap, it’s frustrating.

[tags]Phisherman,phishing,scam,tired,zombie,network[/tags]

  • Carl

    Matt, Not to jinx myself, but something I’m doing must be pretty good at handling junk mail. I have used Thunderbird (presently on v1.5) for a long time. The adaptive filter has had years of training. Almost all of my email is sorted to various folders and I have not had to mark anything as junk in quite a while. I also haven’t seen any phishing mail in so long that I only get to read about the various schemes through reports from you or ScamBusters.

    I also use ZoneAlarm Anti-Virus, Ad-Aware, SpywareBlaster, and Spybot-S&D.

    I look at each email before opening it. If there is anything odd or unusual about a message in the Inbox, then I will save it as a text file and view it in Notepad so anything embedded in the message won’t get run. It has worked for me so far.

    Thanks for ‘listening’ and keep up your column.
    Carl
    ex-Network Analyst

  • Smilee Burnett

    You never say anything about Mepis or PCLinuxos which I a newbie to linux run and find easier than those you mention. Those that you mention would not run or I did not have the knowledge to run on my machine. I think that with the amount of readers and maybe to the limit of the ability of some of us to run linux you should mention these other live CD programs and how to test them on their computers.

  • Gerald Lanning

    I recently recieved an email from “Microsoft” that says that they are offering a free ” updates for Windows products as well as other Microsoft products affected ” by the new daylight savings time.
    My understanding has always been that MS never sends out emails unsolicited. Is this a real deal or an attempt to get me to install an unpleasant application on my computer?
    It’s a shame that phishing has gotten so prevalent that you can’t trust any emails you receive.

  • http://www.matthartley.com Matt Hartley

    Smilee:

    Hi, think you meant to comment on the other article, but this is fine.

    In the article talking about the Linux market, neither of these distros are players. I used to love Simply Mepis, although I am still lost as to the attraction with PCLInuxOS. Regardless, the fact is the numbers dictate who defines the market and that is Ubuntu, SuSE and RedHat/Fedora.

    Thanks for the input.

  • http://www.matthartley.com Matt Hartley

    Hi Carl,

    On any OS I have ever run, I have been using and then training POPFile. Unlike standard junk filters, you can train it to define pretty much anything: this mail is for work, this mail is junk, this mail is suspected fraud, whatever. It requires a fair amount of training for a while, but afterawhile, it’s fantastic.

    Like Thunderbird, I still have to sift through any assigned junk folder. This is where it gets old, because we have to deal with this at all.

  • Wayne

    Matt, Like you, I’m sick and tired of the criminal spammer/scammers and the incompetents who aid and abet them. I’ve tried tracking them down just as you did, but little good came of it. Since then I’ve signed up for SPAM COP which does all the tracking for you and adds the bad guys and the goofy zombie incompetents to a blocking list. …Wayne

  • Ji

    Matt,

    I’m the owner of funhumour.net!

    And I was hacked recently. I received emails telling me that someone was using my website to do some Phishing.

    As you have noticed I have a french registrar (gandi) and my web servers are based in Germany (1and1).

    BR,

    Ji