June 17th, 2009 by Steven Adair
It has been a while since I have updated anything. I have been to busy and sometimes lazy to write stuff here or on the Shadowserver website. Since my last update I have been all over the states, to Moscow, Russia and Oslo, Norway. Very cool places! In any event I am still alive and have a few interesting links to post that are worth reading if you haven’t seen them already:
It seems my comment spam awaiting moderation has reached over 10,000. Quite impressive.. there is surely a lot of interesting data from that. Might make that into a feed one of these days. Keep an eye out and I’ll try and update more with better stuff soon.
Steven
bosee domains
Posted in Links | No Comments »
May 20th, 2008 by Steven Adair
The phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:
Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am
Internal Revenue Service (IRS)
United States Department of the Treasury
Dear Taxpayer,
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, use the following personalized link:
http://0×7C.0xDB11D1/www.irs.gov/
Regards,
Internal Revenue Service
Document Reference: (0×7C.0xDB11D1).
Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.
This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.
Posted in Phishing, Links | No Comments »
April 6th, 2008 by Steven Adair
As you might know, this blog runs on WordPress which already supports RSS feeds. It seems a few of you out there and several search engine/social media sites have already manually located the URLs to subscribe to my RSS feed. In an effort to be more RSS and Web 2.0 friendly, I am now signed up with Feedburner and have put direct link to my RSS feed on this website (continue reading). Hopefully this change is relatively seamless for those that are already subscribed.
For anyone that is not subscribed, you can now click the RSS Feed link on the right panel on my website or subscribe via http://feeds.feedburner.com/securityzone. If you check in on my site regularly or even infrequently and have an RSS reader, I’d recommend signing up. It’ll help you keep up with my sporadic update schedule that not even I can predict!
Posted in Random, Links | No Comments »
