Out Catching Some Phishers!
After reading the PinoyTechBlog articles entitled Phishing: are local banks doing enough? and Phishers targeting local bank clients, I checked my SPAM folder and noticed a good number of Metrobank Phishing emails inside it. Even until today, I just got a new one. So, I decided to do a bit of Internet forensics.
I loaded up the email and checked out the offending URL. Here are the details of the site:
URL: http://203.116.109.75:8081/default.asp/index.htm
Server: RedHat Linux + Apache 1.3.33 + PHP/4.3.10
Registered Owner: Serial Systems Ltd
Hosting Bandwidth/Provider: Starhub, 19 TaiSeng Drive, Singapore 535222
Hosting Bandwidth/Provider Phone Number: +65 6825 7878
Hosting Bandwidth/Provider Email Address: ipadmin@starhub.com
I visited the fake metrobank site and was surprised with the resemblance to the actual Metrobank site. The weird thing is that this site is still up! I wonder when somebody will actually take action to have this site shutdown? Or maybe somebody has already done something but some people at the other end are not cooperating. Tsk tsk tsk.
This fake site then redirects the request to another site below which is located in a US-based 3rd party hosting provider. The site was hosting in a shared server. Fortunately, this site was already taken down. Here are the details of this other site:
URL: http://216.255.181.100/metro1.php
Server: Apache 1.3.34 + PHP/4.4.1
Hosting Bandwidth/Provider: InterCage, Inc.
Hosting Bandwidth/Provider Phone Number: +1-925-550-3947
Hosting Bandwidth/Provider Email Address: abuse@intercage.com
Click here for Hosting Bandwidth/Provider Location
Now let us look a the email. The ones I get are only from one address: i577BC459.versanet.de. Here are the details of the email host:
IP Address: 87.123.196.89
Provider: Versatel Deutschland
Phone Number: +49 71120210
Email Address: abuse@versatel.de
Tracing the email is pretty hard because it might have been sent using zombies on infected personal computers. But, taking down the fake site should be the first step. At least, we should report this to the CERT in Singapore. Good job to the guys who has the Intercage hosted site taken down! This is definitely a positive step. Now, if only the Starhub site was also taken down then we could definitely say this philsher was nailed.
May 14th, 2006 at 3:23 am
It appears that the black underground IT economy call this kind of scan “pharming”. The “phishing” part is just the email that attempts to get the click. Then it is passed into the “pharming” site that grabs the credentials. More details in this Slashdot Article.
May 18th, 2006 at 2:52 am
[…] my mentor william wrote an article about this one a few days ago. he shows how some spoofing bastards out there were trying to fake customers into giving out their personal banking information by sending them to a site that looked like metrobank. […]